CVE-2026-39838
Received Received - Intake
Cross-Site Scripting in MediaWiki ProofreadPage Extension

Publication date: 2026-04-07

Last updated on: 2026-04-08

Assigner: wikimedia-foundation

Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39838
EUVD
EUVD-2026-19889
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wikimedia_foundation mediawiki proofreadpage
wikimedia mediawiki_proofreadpage_extension *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39838 is a security vulnerability in the ProofreadPage extension of Wikimedia's MediaWiki software. It arises because the extension improperly sanitizes multiline CSS styles submitted by users. The sanitizer used, Sanitizer::checkCSS, is designed only for inline CSS styles and does not correctly handle multiline CSS blocks inside <style> elements.

Because sanitization happens before decoding HTML entities, attackers can encode dangerous CSS constructs like @import and url() using HTML entities, which bypass the sanitizer. When these entities are decoded later, the malicious CSS becomes active, allowing injection of harmful CSS rules.

For example, an attacker can insert CSS that loads an external image by encoding the url() function with HTML entities, which the sanitizer fails to block.

Compliance Impact

CVE-2026-39838 is a cross-site scripting (XSS) vulnerability caused by improper sanitization of multiline CSS styles in the ProofreadPage MediaWiki extension. This vulnerability allows attackers to inject dangerous CSS rules via encoded HTML entities, potentially leading to content injection or information leakage.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities like XSS can lead to unauthorized access or leakage of sensitive information, which may impact compliance with data protection regulations that require safeguarding personal data and ensuring system security.

Therefore, if exploited, this vulnerability could pose risks to the confidentiality and integrity of data managed by affected MediaWiki installations, potentially affecting compliance with regulations that mandate protection against such security threats.

Detection Guidance

This vulnerability involves improper sanitization of multiline CSS styles in the ProofreadPage MediaWiki extension, allowing dangerous CSS constructs to bypass sanitization via encoded HTML entities.

To detect this vulnerability on your system, you can inspect the CSS content submitted through the ProofreadPage extension, especially looking for multiline CSS blocks containing encoded HTML entities that decode into dangerous CSS rules such as @import or url().

Suggested commands include searching for suspicious CSS patterns in the database or files where the ProofreadPage extension stores CSS, for example using grep to find encoded CSS entities or dangerous CSS at-rules:

  • grep -r --include='*.css' -E '@import|url\(&#x|url\(&#' /path/to/mediawiki/extensions/ProofreadPage/
  • grep -r --include='*.txt' -E '&#x75;rl|@import' /path/to/mediawiki/data/

Additionally, monitoring HTTP responses for injected CSS that loads external resources (e.g., background images from external URLs) can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include disabling or removing the CSS field in the ProofreadPage extension that allows user-submitted multiline CSS, as this field is the attack vector.

Apply the security patch that replaces the unsafe sanitizer `Sanitizer::checkCSS` with the more robust `wikimedia/css-sanitizer` package, which properly handles multiline CSS and disallows dangerous at-rules.

Remove the use of `Sanitizer::escapeHtmlAllowEntities` as it allows bypasses via entity decoding, and instead use safe embedding methods such as `Html::inlineStyle` which escapes dangerous characters and wraps styles in CDATA sections if necessary.

If immediate patching is not possible, consider disabling the ProofreadPage extension's CSS feature temporarily to prevent exploitation.

Impact Analysis

This vulnerability allows attackers to inject malicious CSS into pages using the ProofreadPage extension. Such CSS injection can lead to content injection or information leakage.

Specifically, attackers can use this flaw to load external resources, manipulate page appearance, or potentially exploit browser behaviors to compromise user experience or privacy.

Since the CSS field affected is enabled in some wikis and used on approximately 190 pages, the risk exists in those environments where the extension and vulnerable CSS field are active.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39838. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart