Platform
php
Component
score
Fixed in
1.45
1.45
1.45
1.43
CVE-2026-39936 represents a Cross-Site Scripting (XSS) vulnerability discovered within the Mediawiki - Score Extension. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The vulnerability impacts Mediawiki - Score Extension versions 1.43 through 1.45. A fix has been implemented in the master branch and released for versions 1.43, 1.44, and 1.45.
CVE-2026-39936 in the Wikimedia Foundation's MediaWiki 'Score' extension represents a Cross-Site Scripting (XSS) vulnerability. This allows an attacker to inject malicious code into web pages generated by MediaWiki, which would then execute in the browsers of users visiting those pages. The potential impact includes cookie theft, redirection to malicious websites, content alteration, and actions performed on behalf of the affected user. The severity of this XSS depends on the sensitivity of the information users access and share within MediaWiki. This vulnerability affects specific versions, making timely updates critical.
The vulnerability stems from improper neutralization of input during web page generation. An attacker could exploit this flaw to inject malicious JavaScript code into input parameters that are not properly sanitized. This code would execute in the context of the user viewing the page, allowing the attacker to perform unauthorized actions. Successful exploitation depends on the attacker’s ability to control the input used to generate the page and the absence of adequate security measures to prevent malicious code injection. The 'Score' extension is particularly vulnerable due to its handling of user-provided data.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
The Wikimedia Foundation has addressed this vulnerability in the 'master' branch and in release branches for MediaWiki versions 1.43, 1.44, and 1.45. Administrators are strongly encouraged to update their installations to one of these patched versions as soon as possible. To mitigate the risk before updating, additional security measures can be implemented, such as strict user input validation and Content Security Policy (CSP) implementation. Monitoring server logs for suspicious activity can also help detect and respond to potential attacks. Updating is the most effective and recommended solution.
Actualice la extensión Score a la versión 1.45 o superior. Esta versión corrige la vulnerabilidad de XSS al neutralizar correctamente la entrada durante la generación de la página web. Asegúrese de realizar una copia de seguridad de su instalación de MediaWiki antes de aplicar la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
An attacker could steal sensitive information, redirect users to malicious websites, or alter the page content.
Versions 1.43, 1.44, and 1.45 are vulnerable. The 'master' branch is already patched.
Implement additional security measures like input validation and CSP, and monitor server logs.
Consult the official MediaWiki documentation and the update release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.