CVE-2026-58521
Undergoing Analysis Undergoing Analysis - In Progress

SQL Injection in MediaWiki Cargo Extension

Vulnerability report for CVE-2026-58521, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: wikimedia-foundation

Description

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
the_wikimedia_foundation mediawiki_cargo_extension From 1.43.9 (inc) to 1.44.6 (exc)
the_wikimedia_foundation mediawiki_cargo_extension From 1.44.6 (inc) to 1.45.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58521 is a SQL injection vulnerability in the Cargo extension for MediaWiki, specifically in the year range filter of Special:Drilldown.

The vulnerability occurs because the extension does not properly sanitize user input before inserting it into a SELECT SQL query, allowing attackers to inject malicious SQL code.

This improper neutralization of special elements used in SQL commands enables attackers to manipulate database queries.

Impact Analysis

Exploiting this vulnerability can lead to a complete account takeover by exfiltrating sensitive data such as the user_token, even bypassing two-factor authentication if enabled.

Attackers can also perform denial-of-service attacks by executing resource-intensive queries that degrade system performance.

The impact depends on the database user privileges; if the default database user has access to sensitive tables, the risk is higher.

Disabling Special:Drilldown or applying the patch that validates year values can mitigate the risk.

Compliance Impact

The SQL injection vulnerability in the MediaWiki Cargo Extension can lead to a complete account takeover by exfiltrating sensitive information such as the user_token, which can bypass two-factor authentication if enabled.

This exposure of sensitive user data and potential unauthorized access could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Additionally, the vulnerability allows denial-of-service attacks, which could affect system availability, another important aspect of regulatory compliance.

Detection Guidance

This SQL injection vulnerability in the MediaWiki Cargo extension can be detected by testing the year range filter in Special:Drilldown for improper input sanitization.

Proof-of-concept attacks demonstrated include time-based SQL injection using commands such as SLEEP functions and logical conditions like "1=1" to manipulate queries.

To detect the vulnerability, you can attempt injecting SQL payloads into the year range filter input fields and observe if the system behaves abnormally or delays responses (indicative of time-based injections).

  • Use SQL injection test payloads such as '1 OR 1=1' or '1; SLEEP(5); --' in the year range filter input.
  • Monitor response times for delays that indicate execution of injected SQL commands.
  • Check logs for unusual queries or errors related to the year range filter in Special:Drilldown.
Mitigation Strategies

Immediate mitigation steps include applying the patch developed and merged to validate year values in the Special:Drilldown filter, which prevents SQL injection.

If patching is not immediately possible, disabling the Special:Drilldown feature will mitigate the vulnerability.

Additionally, review and restrict database user privileges to limit access to sensitive tables such as user_token, reducing the impact of potential exploitation.

  • Apply the official patch that validates input for the year range filter.
  • Disable the Special:Drilldown feature temporarily if patching is delayed.
  • Restrict database user permissions to prevent access to sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart