CVE-2026-39840
Cross-Site Scripting in Mediawiki Cargo Extension Before
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mediawiki | cargo | to 3.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-39840 impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39840 is a security vulnerability in the MediaWiki Cargo extension that allows attackers to inject arbitrary, unsanitized CSS styles into multiple display formats such as calendar, BPMN, Gantt, and timeline.
The root cause is insufficient validation and sanitization of inline CSS styles applied to elements generated by Cargo queries. This improper neutralization of input during web page generation leads to a CSS injection vulnerability.
Attackers can exploit this by crafting Cargo queries that include malicious CSS in style parameters, which then get rendered unsanitized on the page, potentially manipulating the user interface or causing other CSS-based attacks.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject arbitrary CSS into pages generated by the MediaWiki Cargo extension.
Such CSS injection can lead to manipulation of the user interface, potentially misleading users, hiding or altering content, or causing visual disruptions.
While it does not directly allow script execution, the CSS injection could be used in combination with other vulnerabilities or social engineering to affect user experience or security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for injection of arbitrary CSS styles in the affected Cargo display formats such as calendar, BPMN, Gantt, and timeline formats.
A practical detection method involves creating a Cargo table and using a Cargo query with a display format (e.g., calendar) that includes CSS style parameters. By injecting suspicious CSS styles (for example, in the width parameter) and then viewing the rendered page, you can observe if the injected CSS is applied without sanitization.
There are no specific commands provided in the resources, but the reproduction steps include:
- Create a Cargo table named "Calendar" with a declared field "Date".
- Use a Cargo query with the calendar format and specify a CSS style in the width parameter, e.g., width=100; background: url(https://http.cat/418);
- Store data in the Cargo table.
- Visit the page rendering the calendar format and purge cache if necessary.
If the injected CSS is applied unsanitized, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the MediaWiki Cargo extension to version 3.8.7 or later, where the vulnerability has been fixed.
The fix includes proper validation and sanitization of CSS styles applied in Cargo display formats, preventing arbitrary CSS injection.
If updating is not immediately possible, consider disabling or restricting the use of affected Cargo display formats (calendar, BPMN, Gantt, timeline) to prevent exploitation.