CVE-2026-14358
Received Received - Intake

Cross-Site Scripting in MediaWiki Charts Extension

Vulnerability report for CVE-2026-14358, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: wikimedia-foundation

Description

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting (XSS). This issue affects Mediawiki - Charts Extension: from * before 1.43.9,1.44.6,1.45.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
the_wikimedia_foundation mediawiki_charts_extension From 1.43.0 (inc) to 1.43.9 (exc)
the_wikimedia_foundation mediawiki_charts_extension 1.44.6
the_wikimedia_foundation mediawiki_charts_extension 1.45.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14358 is a stored cross-site scripting (XSS) vulnerability in the Wikimedia Chart extension. It occurs specifically in pie charts where a malicious title in a numeric field within a Data:*.tab page is preserved in the client chart specification.

The vulnerability arises because the Chart extension's pie tooltip formatter uses the raw field title as HTML content without proper sanitization. This means that when a user views the page and hovers over or taps the pie chart tooltip, attacker-controlled HTML can execute.

This is a cross-user stored XSS attack, allowing attackers who can create or edit Data: pages to inject malicious scripts that execute for other users viewing the chart.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected pie charts. This can lead to unauthorized actions such as stealing user credentials, session hijacking, or performing actions on behalf of the user.

Since the attack is stored, it persists in the data and affects any user who views the compromised chart, increasing the potential impact.

Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the Wikimedia Chart extension, specifically affecting pie charts with malicious titles in numeric fields within Data:*.tab pages.

Detection involves identifying if any Data: pages contain malicious HTML or script code in pie chart titles that could be executed when users hover over or tap the pie chart tooltip.

Since the vulnerability arises from unsanitized HTML in tooltip formatters, you can detect it by reviewing or scanning the content of Data: pages for suspicious HTML or script tags.

  • Manually inspect Data:*.tab pages for unexpected HTML or JavaScript code in pie chart titles.
  • Use grep or similar tools to search for suspicious script tags or HTML entities in the relevant Mediawiki database or exported page content, for example:
  • grep -r '<script' /path/to/mediawiki/data/pages
  • grep -r 'onmouseover' /path/to/mediawiki/data/pages

Additionally, monitoring user reports of unexpected script execution or unusual behavior when interacting with pie chart tooltips can help detect exploitation attempts.

Mitigation Strategies

The vulnerability was mitigated by changing the tooltip formatter in the Wikimedia Chart extension to use the "richText" render mode, which renders tooltip content as plain text instead of HTML, preventing script execution.

Immediate mitigation steps include:

  • Update the Mediawiki Chart extension to version 1.43.9, 1.44.6, 1.45.4 or later where the fix has been applied.
  • If updating immediately is not possible, restrict or review permissions to create or edit Data: pages to trusted users only, to reduce the risk of malicious script injection.
  • Monitor and sanitize existing Data: pages to remove any malicious HTML or script content in pie chart titles.

No evidence of exploitation in the wild was found, but applying the fix and restricting editing rights are important to prevent potential attacks.

Compliance Impact

CVE-2026-14358 is a stored cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts which execute in the browsers of other users viewing affected charts. Such vulnerabilities can lead to unauthorized access to user data or session information.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Organizations using the vulnerable Mediawiki - Charts Extension could potentially face compliance issues if the vulnerability is exploited to compromise personal or sensitive data, as required protections under GDPR, HIPAA, and similar regulations might be violated.

The vulnerability was mitigated by changing the tooltip formatter to render content as plain text, preventing script execution and reducing the risk of data exposure or unauthorized actions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14358. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart