CVE-2026-14363
Received Received - Intake

SQL Injection in MediaWiki Cargo Extension

Vulnerability report for CVE-2026-14363, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: wikimedia-foundation

Description

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
the_wikimedia_foundation mediawiki_cargo_extension From 1.43.0 (inc) to 1.43.9 (exc)
the_wikimedia_foundation mediawiki_cargo_extension From 1.44.0 (inc) to 1.44.6 (exc)
the_wikimedia_foundation mediawiki_cargo_extension From 1.45.0 (inc) to 1.45.4 (exc)
the_wikimedia_foundation mediawiki_cargo_extension to 1.45.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in the Mediawiki Cargo Extension allows unauthenticated attackers to exfiltrate sensitive data from the database. This unauthorized access to sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized disclosure.

Because the vulnerability enables attackers to manipulate SQL queries and retrieve data without proper authorization, organizations using the affected software may face compliance risks related to confidentiality, integrity, and availability of protected data.

Executive Summary

CVE-2026-14363 is a SQL injection vulnerability in the Cargo extension for MediaWiki, specifically affecting the Special:Drilldown page. This vulnerability arises because the extension's code concatenates user-supplied input directly into SQL queries without proper sanitization or neutralization of special SQL elements.

An attacker can manipulate URL parameters to inject malicious SQL code, which can alter the behavior of the database queries executed by the extension. For example, by injecting crafted input, an attacker can cause the system to return all records or no records, demonstrating the ability to control the SQL query logic.

The root cause is the use of string concatenation in the `checkSQL()` function in `CargoAppliedFilter.php` instead of using parameterized queries or MediaWiki's database abstraction layers, which would properly handle user input.

Impact Analysis

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on the MediaWiki Cargo extension, potentially leading to unauthorized access to sensitive data stored in the database.

Because the affected page (Special:Drilldown) is accessible to anonymous users by default, attackers do not need any privileges to exploit this flaw.

The impact includes data exfiltration, unauthorized data disclosure, and possibly manipulation of database queries, which can compromise the confidentiality and integrity of the data managed by the MediaWiki installation.

Detection Guidance

This SQL injection vulnerability in the Mediawiki Cargo Extension can be detected by testing the Special:Drilldown page for SQL injection flaws using crafted URL parameters.

For example, manipulating URL parameters to inject SQL code can reveal the vulnerability. Using URLs like the following can help detect it:

  • Special:Drilldown/TABLENAME?_lower_DATEFIELDNAME[year]=1&_lower_DATEFIELDNAME[month]=1&_lower_DATEFIELDNAME[day]=1') AND ('1'='1
  • Special:Drilldown/TABLENAME?_lower_DATEFIELDNAME[year]=1&_lower_DATEFIELDNAME[month]=1&_lower_DATEFIELDNAME[day]=1') AND ('2'='1

The first URL returns all records (indicating a successful injection), while the second returns no records, demonstrating the presence of SQL injection.

Another detection method involves using tab characters to bypass input validation, such as:

  • Special:Drilldown/TABLENAME?DATEFIELDNAME[]=2010 OR 1=1

These tests can be performed manually by accessing the URLs or automated using tools that test for SQL injection by injecting payloads into URL parameters.

Mitigation Strategies

Immediate mitigation involves updating the Mediawiki Cargo Extension to a patched version where the SQL injection vulnerability has been addressed.

The vulnerability was fixed by applying patches that validate date fields and refactor the code to use MediaWiki's database abstraction layer, such as SelectQueryBuilder, to build parameterized queries instead of unsafe string concatenation.

Until the update is applied, consider restricting access to the Special:Drilldown page or disabling the Cargo extension if feasible, to prevent unauthenticated attackers from exploiting the SQL injection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14363. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart