CVE-2026-39838
Cross-Site Scripting in MediaWiki ProofreadPage Extension
Publication date: 2026-04-07
Last updated on: 2026-04-08
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia_foundation | mediawiki | proofreadpage |
| wikimedia | mediawiki_proofreadpage_extension | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39838 is a security vulnerability in the ProofreadPage extension of Wikimedia's MediaWiki software. It arises because the extension improperly sanitizes multiline CSS styles submitted by users. The sanitizer used, Sanitizer::checkCSS, is designed only for inline CSS styles and does not correctly handle multiline CSS blocks inside <style> elements.
Because sanitization happens before decoding HTML entities, attackers can encode dangerous CSS constructs like @import and url() using HTML entities, which bypass the sanitizer. When these entities are decoded later, the malicious CSS becomes active, allowing injection of harmful CSS rules.
For example, an attacker can insert CSS that loads an external image by encoding the url() function with HTML entities, which the sanitizer fails to block.
How can this vulnerability impact me? :
This vulnerability allows attackers to inject malicious CSS into pages using the ProofreadPage extension. Such CSS injection can lead to content injection or information leakage.
Specifically, attackers can use this flaw to load external resources, manipulate page appearance, or potentially exploit browser behaviors to compromise user experience or privacy.
Since the CSS field affected is enabled in some wikis and used on approximately 190 pages, the risk exists in those environments where the extension and vulnerable CSS field are active.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper sanitization of multiline CSS styles in the ProofreadPage MediaWiki extension, allowing dangerous CSS constructs to bypass sanitization via encoded HTML entities.
To detect this vulnerability on your system, you can inspect the CSS content submitted through the ProofreadPage extension, especially looking for multiline CSS blocks containing encoded HTML entities that decode into dangerous CSS rules such as @import or url().
Suggested commands include searching for suspicious CSS patterns in the database or files where the ProofreadPage extension stores CSS, for example using grep to find encoded CSS entities or dangerous CSS at-rules:
- grep -r --include='*.css' -E '@import|url\(&#x|url\(&#' /path/to/mediawiki/extensions/ProofreadPage/
- grep -r --include='*.txt' -E 'url|@import' /path/to/mediawiki/data/
Additionally, monitoring HTTP responses for injected CSS that loads external resources (e.g., background images from external URLs) can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the CSS field in the ProofreadPage extension that allows user-submitted multiline CSS, as this field is the attack vector.
Apply the security patch that replaces the unsafe sanitizer `Sanitizer::checkCSS` with the more robust `wikimedia/css-sanitizer` package, which properly handles multiline CSS and disallows dangerous at-rules.
Remove the use of `Sanitizer::escapeHtmlAllowEntities` as it allows bypasses via entity decoding, and instead use safe embedding methods such as `Html::inlineStyle` which escapes dangerous characters and wraps styles in CDATA sections if necessary.
If immediate patching is not possible, consider disabling the ProofreadPage extension's CSS feature temporarily to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39838 is a cross-site scripting (XSS) vulnerability caused by improper sanitization of multiline CSS styles in the ProofreadPage MediaWiki extension. This vulnerability allows attackers to inject dangerous CSS rules via encoded HTML entities, potentially leading to content injection or information leakage.
While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities like XSS can lead to unauthorized access or leakage of sensitive information, which may impact compliance with data protection regulations that require safeguarding personal data and ensuring system security.
Therefore, if exploited, this vulnerability could pose risks to the confidentiality and integrity of data managed by affected MediaWiki installations, potentially affecting compliance with regulations that mandate protection against such security threats.