CVE-2026-34089
Received Received - Intake
Sandbox Escape in Wikimedia Scribunto

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: wikimedia-foundation

Description
Vulnerability in Wikimedia Foundation Scribunto. This issue affects Scribunto: from 1.45.0 before 1.45.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-34089
EUVD
EUVD-2026-29061
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wikimedia_foundation scribunto From 1.45.0 (inc) to 1.45.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34089 is a memory leak vulnerability in the Scribunto extension for MediaWiki. It occurs because Scribunto introduced a WeakMap to store engine objects, but these objects were not properly garbage collected due to a reference cycle. This causes memory to be exhausted when running jobs, especially when processing Lua modules that trigger multiple parses.

The issue was confirmed by reproducing it with a specially crafted Lua module that intentionally consumes memory. The fix involved manually breaking the reference cycle by calling the destroy() method on engine objects, allowing proper garbage collection.

Impact Analysis

This vulnerability can cause the runJobs.php script in MediaWiki to exhaust available memory, leading to potential service disruptions or degraded performance. Systems running vulnerable versions of Scribunto may experience memory exhaustion when processing certain Lua modules, which can impact the stability and reliability of the MediaWiki installation.

Detection Guidance

This vulnerability can be detected by monitoring the memory usage of the runJobs.php script in the Scribunto extension for MediaWiki. A memory leak caused by a reference cycle in engine objects leads to memory exhaustion, especially when processing Lua modules that trigger multiple parses.

Detection can involve reproducing the issue using a specially crafted Lua module that intentionally consumes memory, as was done to confirm the vulnerability.

  • Monitor memory usage of runJobs.php using commands like: `ps aux | grep runJobs.php` or `top`/`htop` to observe memory consumption over time.
  • Use `strace` or similar tools to trace system calls and memory allocations of the runJobs.php process.
  • Check MediaWiki logs for errors or warnings related to memory exhaustion during job processing.
Mitigation Strategies

The immediate mitigation step is to update the Scribunto extension to a version later than 1.45.2 where the vulnerability has been fixed by applying patches that manually call the destroy() method on engine objects to break the reference cycle and allow proper garbage collection.

If updating is not immediately possible, monitor and limit the memory usage of the runJobs.php script to prevent exhaustion, and avoid running Lua modules that trigger multiple parses or are known to consume excessive memory.

Review and apply any patches available for your current Scribunto version, especially those addressing the destroyEngineForParser() function.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart