CVE-2026-58519
Received Received - Intake

Stored XSS in MediaWiki Cargo Extension

Vulnerability report for CVE-2026-58519, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: wikimedia-foundation

Description

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS. This issue affects Mediawiki - Cargo Extension: from * before 3.9.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
the_wikimedia_foundation mediawiki_cargo_extension to 3.9.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the stored cross-site scripting (XSS) vulnerability in the Mediawiki Cargo Extension directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-58519 is a stored cross-site scripting (XSS) vulnerability in the Cargo extension for MediaWiki, affecting versions up to 3.9.

The issue arises from Cargo's map format, which allows malicious wikitext to inject and execute arbitrary JavaScript code.

An attacker can create a template with a specially crafted Cargo table, then embed a map with an XSS payload in the title field of a marker.

When rendered, the payload executes due to improper handling of map data stored in a <span> element, which can be manipulated via wikitext or the language converter.

The vulnerability was patched by changing the extension to store map data in a reserved data attribute instead of the element's contents, preventing fake map data elements and protecting against language conversion manipulation.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the affected MediaWiki site.

Such execution can lead to unauthorized actions such as stealing user credentials, session hijacking, defacing web pages, or performing actions on behalf of legitimate users.

Because the XSS is stored, the malicious code can persist and affect multiple users who view the compromised content.

Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the Cargo extension for MediaWiki, specifically involving malicious wikitext in Cargo tables that inject JavaScript via map markers' title fields.

Detection involves inspecting rendered pages that use the Cargo extension's map format for suspicious or unexpected JavaScript execution, especially in map marker titles.

Since the vulnerability arises from stored data, network detection might be limited, but you can monitor HTTP responses for suspicious script tags or unexpected inline JavaScript within map elements.

No specific commands are provided in the available resources to detect this vulnerability automatically.

Mitigation Strategies

The vulnerability was patched by changing how map data is stored in the Cargo extension: from storing map data inside a span element's contents to using a reserved data attribute (`data-mw-cargo-map-data`).

Immediate mitigation steps include upgrading the MediaWiki Cargo extension to version 3.9.1 or later, which contains the fix.

Until the upgrade can be applied, consider restricting user permissions to prevent untrusted users from creating or editing Cargo tables or templates that include map data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58519. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart