CVE-2026-58520
Undergoing Analysis Undergoing Analysis - In Progress

Open Redirect in MediaWiki UrlShortener Extension

Vulnerability report for CVE-2026-58520, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: wikimedia-foundation

Description

URL redirection to untrusted site ('open redirect') vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing. This issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-03
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
the_wikimedia_foundation mediawiki_urlshortener_extension to 1.43.9 (exc)
the_wikimedia_foundation mediawiki_urlshortener_extension 1.44.6
the_wikimedia_foundation mediawiki_urlshortener_extension 1.45.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58520 is a security vulnerability in the MediaWiki UrlShortener extension caused by ineffective validation of allowed domains for URL shortening.

The extension's default setting, intended to restrict URL shortening to the current domain, generates a regular expression from the server's host without proper start and end anchors. This flaw allows attackers to craft URLs that redirect users to untrusted third-party sites.

This vulnerability, known as an 'open redirect', has existed since the feature was introduced in 2014 and enables Cross-Site Flashing attacks.

Compliance Impact

The provided information does not specify how the URL redirection vulnerability in the MediaWiki UrlShortener extension impacts compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact users by allowing attackers to redirect them to malicious or untrusted websites through seemingly legitimate shortened URLs.

Such redirects can be used for phishing, delivering malware, or other malicious activities that exploit user trust in the original domain.

Because the extension does not properly restrict URL shortening to trusted domains, users may be exposed to security risks without realizing it.

Detection Guidance

This vulnerability involves the MediaWiki UrlShortener extension allowing URL redirection to untrusted sites due to ineffective domain validation. Detection involves checking if the extension is using the default setting `UrlShortenerAllowedDomains: false` and if the regex used for allowed domains lacks proper start and end anchors, which can be verified by inspecting the configuration or source code.

To detect exploitation attempts on your network, monitor HTTP requests that use the URL shortening feature and look for redirects to third-party or unexpected domains.

Suggested commands include:

  • Use grep or similar tools to check the configuration or source code for the `UrlShortenerAllowedDomains` setting and the regex pattern, e.g., `grep -r UrlShortenerAllowedDomains /path/to/mediawiki/extensions/UrlShortener`.
  • Use network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and filter for URL shortening requests, e.g., `tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'` and analyze for redirects to untrusted domains.
  • Check web server logs for URL shortening requests that result in redirects to external domains.
Mitigation Strategies

Immediate mitigation involves updating the MediaWiki UrlShortener extension to the fixed version released in July 2026, which includes patches that add start and end anchors to the domain validation regex, preventing open redirects.

If updating immediately is not possible, manually configure the `UrlShortenerAllowedDomains` setting to a strict regex that properly anchors allowed domains, for example `^(.*\.)?wikipedia\.org$`, to restrict URL shortening to trusted domains only.

Additionally, monitor and restrict URL shortening usage to prevent abuse until the patch is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58520. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart