CVE-2026-39841
Stored XSS in Mediawiki Cargo Extension Before
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mediawiki | cargo | to 3.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39841 is a stored Cross-Site Scripting (XSS) vulnerability in the MediaWiki Cargo extension. It occurs because arbitrary HTML, including malicious scripts, can be stored in a Cargo table's list field and then rendered without proper HTML encoding. This improper handling allows embedded scripts to execute when viewing pages that display these list fields.
Specifically, the vulnerability arises because individual list items are not properly HTML-encoded before rendering, and non-Wikitext field types bypass the usual sanitization. This enables attackers to inject scripts that run in the context of the affected MediaWiki pages.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of users viewing affected MediaWiki pages. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the user.
Since the XSS is stored, the malicious script persists in the database and affects all users who view the compromised pages, increasing the potential impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for stored Cross-Site Scripting (XSS) in the Cargo extension's list fields. Specifically, you can create a Cargo table with a list field and attempt to store malicious script tags such as <script>alert('xss')</script> in that field.
After storing the malicious content, visiting the pages Special:CargoTables/XSS or Template:XSS?action=pagevalues will trigger the stored XSS if the vulnerability is present.
There are no specific network commands provided, but the detection involves interacting with the MediaWiki interface to insert and view potentially malicious payloads in Cargo list fields.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Cargo extension to version 3.8.7 or later, where the vulnerability has been fixed by properly escaping list field items before rendering.
If upgrading immediately is not possible, avoid storing untrusted or arbitrary HTML content in Cargo list fields, and restrict editing permissions to trusted users only.
Applying the security patch identified as Change #1237973 will also mitigate the issue by ensuring proper HTML encoding of list items.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39841 is a stored Cross-Site Scripting (XSS) vulnerability in the MediaWiki Cargo extension that allows arbitrary script injection via improperly escaped list field items.
Such a vulnerability can impact compliance with common standards and regulations like GDPR and HIPAA because it may lead to unauthorized access or exposure of sensitive user data through malicious scripts executed in users' browsers.
Stored XSS vulnerabilities can facilitate attacks such as session hijacking, data theft, or unauthorized actions performed on behalf of users, which violate data protection and privacy requirements mandated by these regulations.
Therefore, organizations using affected versions of the Cargo extension must apply the security patch to prevent potential breaches and maintain compliance with relevant security and privacy standards.