CVE-2026-34094
Received Received - Intake
Cross-Site Scripting in MediaWiki

Publication date: 2026-05-11

Last updated on: 2026-05-18

Assigner: wikimedia-foundation

Description
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-18
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-34094
EUVD
EUVD-2026-29108
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mediawiki mediawiki to 1.43.7 (exc)
mediawiki mediawiki From 1.44.0 (inc) to 1.44.4 (exc)
mediawiki mediawiki From 1.45.0 (inc) to 1.45.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34094 is a security vulnerability in MediaWiki where the customized help link for page protection indicators incorrectly includes the subpage name in the link due to a missing "/wiki/" prefix.

This flaw allows administrators to insert JavaScript into pages, which should normally be restricted to interface administrators only.

The issue affects MediaWiki versions from 1.43 onwards when the $wgEnableProtectionIndicators setting is enabled.

Patches have been released to validate the link target and prevent this misconfiguration.

Impact Analysis

This vulnerability poses a low-severity security risk by allowing administrators to insert JavaScript into pages where such actions should be restricted.

This could potentially lead to unauthorized script execution, which might affect the integrity or behavior of the MediaWiki pages.

Detection Guidance

This vulnerability occurs when the customized help link for page protection indicators incorrectly includes the subpage name without the proper "/wiki/" prefix, allowing administrators to insert JavaScript into pages.

To detect this vulnerability on your system, you should check if your MediaWiki installation is running a vulnerable version (before 1.43.7, 1.44.4, or 1.45.2) and if the $wgEnableProtectionIndicators setting is enabled.

You can inspect the generated page protection indicator links in your MediaWiki pages to see if they include subpage names without the "/wiki/" prefix.

While no specific commands are provided, you might use commands like the following to check your MediaWiki version and configuration:

  • Check MediaWiki version: grep 'wgVersion' includes/DefaultSettings.php or check Special:Version page in the wiki.
  • Check if $wgEnableProtectionIndicators is enabled by searching your LocalSettings.php: grep 'wgEnableProtectionIndicators' LocalSettings.php
  • Manually inspect page protection indicator links in the rendered HTML for missing "/wiki/" prefix in help links.
Mitigation Strategies

To mitigate this vulnerability immediately, you should apply the patches released for MediaWiki versions 1.43.7, 1.44.4, and 1.45.2 that validate the link target and prevent the incorrect inclusion of subpage names.

If patching immediately is not possible, consider disabling the $wgEnableProtectionIndicators setting temporarily to prevent the vulnerable behavior.

Additionally, restrict administrator privileges carefully to minimize the risk of JavaScript injection via this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34094. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart