Executive Summary

CVE-2026-34095 is a security vulnerability in MediaWiki related to the action=raw endpoint. When a request is made with a Special:MyPage subpage title and the ctype=text/javascript parameter, the server incorrectly responds with a "Content-Type: text/html" header instead of "text/javascript."

This causes the browser to render the response as arbitrary HTML rather than plain JavaScript, which can lead to cross-site scripting (XSS) attacks. The root cause is that MediaWiki's RawAction class does not properly set the Content-Type header after redirects handled through DerivativeRequest, which inherits from FauxRequest and does not override the response() method. As a result, headers set in RawAction are ignored after a redirect, defaulting the response to text/html.

Because regular subpages are freely editable by users, an attacker can exploit this to execute arbitrary JavaScript in the context of a victim's session by tricking a logged-in user into clicking a malicious link.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to perform cross-site scripting (XSS) attacks by executing arbitrary JavaScript in the context of a victim's session. This means an attacker could potentially steal session tokens, perform actions on behalf of the user, or manipulate the content displayed to the user.

The attack vector is accessible because regular subpages are editable by users, making it easier for an attacker to inject malicious content. If a logged-in user is tricked into clicking a specially crafted link, their session and data could be compromised.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the MediaWiki installation responds incorrectly to requests to the action=raw endpoint with a Special:MyPage subpage title and the ctype=text/javascript parameter.

Specifically, you can test whether the response header Content-Type is incorrectly set to text/html instead of text/javascript, which indicates the vulnerability.

A possible command to test this behavior using curl is:

• curl -I 'https://your-mediawiki-site/index.php?action=raw&ctype=text/javascript&title=Special:MyPage/subpage'

If the Content-Type header in the response is text/html rather than text/javascript, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the security patches released by the Wikimedia Foundation that fix the header handling issue in the RawAction class.

Updating MediaWiki to versions 1.43.7, 1.44.4, or 1.45.2 or later will resolve the vulnerability.

Until the update can be applied, administrators should be cautious about user-editable subpages and consider restricting editing permissions to reduce the attack surface.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability in MediaWiki allows an attacker to execute arbitrary JavaScript in the context of a victim's session by exploiting improper Content-Type header handling, leading to potential cross-site scripting (XSS) attacks.

Such XSS vulnerabilities can lead to unauthorized access to user data or session hijacking, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

However, the provided information does not explicitly state the direct impact on compliance with these standards or any regulatory consequences.

Useful 0 Not Useful 0