Platform
php
Component
campaignevents
Fixed in
1.44
1.45
1.46
1.43
CVE-2026-39935 describes a Cross-Site Scripting (XSS) vulnerability within the CampaignEvents Extension for Mediawiki. This flaw allows attackers to inject malicious scripts into web pages, potentially compromising user accounts and sensitive data. The vulnerability impacts versions 0.0.0 through 1.45 of the extension, and a fix is available in version 1.46.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to various malicious actions, including session hijacking, defacement of the Mediawiki website, and redirection to phishing sites. Attackers could steal user credentials, including administrator accounts, granting them complete control over the Mediawiki instance. The blast radius extends to all users interacting with the affected pages, and the potential for widespread compromise is significant.
This vulnerability was publicly disclosed on 2026-04-07. No public proof-of-concept (POC) code has been released at the time of writing, but the XSS nature of the vulnerability makes it likely that exploits will emerge. It is not currently listed on CISA KEV. The potential for exploitation is considered medium due to the ease of XSS exploitation and the widespread use of Mediawiki.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
The primary mitigation for CVE-2026-39935 is to upgrade the CampaignEvents Extension to version 1.46 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing strict input validation and output encoding on all user-supplied data processed by the extension. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update Mediawiki's security configuration to minimize the attack surface.
Update the CampaignEvents extension to version 1.46 or higher to mitigate the XSS vulnerability. Ensure you back up your wiki before updating. This fix is only available in the 'master' branch.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39935 is a Cross-Site Scripting (XSS) vulnerability in the Mediawiki CampaignEvents Extension, allowing attackers to inject malicious scripts.
You are affected if you are using Mediawiki's CampaignEvents Extension versions 0.0.0 through 1.45.
Upgrade the CampaignEvents Extension to version 1.46 or later. Implement input validation and output encoding as a temporary workaround.
No active exploitation has been confirmed, but the XSS nature of the vulnerability suggests potential for future exploitation.
Refer to the official Mediawiki security advisories on their website for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.