CVE-2026-34094
Cross-Site Scripting in MediaWiki
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia | mediawiki | From 1.43 (inc) to 1.43.7 (exc) |
| wikimedia | mediawiki | 1.44.4 |
| wikimedia | mediawiki | 1.45.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34094 is a security vulnerability in MediaWiki where the customized help link for page protection indicators incorrectly includes the subpage name in the link due to a missing "/wiki/" prefix.
This flaw allows administrators to insert JavaScript into pages, which should normally be restricted to interface administrators only.
The issue affects MediaWiki versions from 1.43 onwards when the $wgEnableProtectionIndicators setting is enabled.
Patches have been released to validate the link target and prevent this misconfiguration.
How can this vulnerability impact me? :
This vulnerability poses a low-severity security risk by allowing administrators to insert JavaScript into pages where such actions should be restricted.
This could potentially lead to unauthorized script execution, which might affect the integrity or behavior of the MediaWiki pages.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the customized help link for page protection indicators incorrectly includes the subpage name without the proper "/wiki/" prefix, allowing administrators to insert JavaScript into pages.
To detect this vulnerability on your system, you should check if your MediaWiki installation is running a vulnerable version (before 1.43.7, 1.44.4, or 1.45.2) and if the $wgEnableProtectionIndicators setting is enabled.
You can inspect the generated page protection indicator links in your MediaWiki pages to see if they include subpage names without the "/wiki/" prefix.
While no specific commands are provided, you might use commands like the following to check your MediaWiki version and configuration:
- Check MediaWiki version: grep 'wgVersion' includes/DefaultSettings.php or check Special:Version page in the wiki.
- Check if $wgEnableProtectionIndicators is enabled by searching your LocalSettings.php: grep 'wgEnableProtectionIndicators' LocalSettings.php
- Manually inspect page protection indicator links in the rendered HTML for missing "/wiki/" prefix in help links.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should apply the patches released for MediaWiki versions 1.43.7, 1.44.4, and 1.45.2 that validate the link target and prevent the incorrect inclusion of subpage names.
If patching immediately is not possible, consider disabling the $wgEnableProtectionIndicators setting temporarily to prevent the vulnerable behavior.
Additionally, restrict administrator privileges carefully to minimize the risk of JavaScript injection via this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.