Platform
php
Component
globalwatchlist
Opgelost in
1.45
1.45
1.45
1.43
CVE-2026-39933 represents a Cross-Site Scripting (XSS) vulnerability discovered within the MediaWiki GlobalWatchlist Extension. This flaw enables attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The vulnerability impacts MediaWiki installations utilizing the GlobalWatchlist Extension versions 1.43 through 1.45. The issue has been resolved in the master branch and released for versions 1.43, 1.44, and 1.45.
CVE-2026-39933 in the MediaWiki GlobalWatchlist extension represents a Cross-Site Scripting (XSS) vulnerability. This allows an attacker to inject malicious code into MediaWiki web pages, which would then execute in the browsers of users. A successful exploitation could lead to the theft of sensitive information, such as session cookies, or redirection of users to fraudulent websites. The impact is particularly severe if the MediaWiki instance manages sensitive information or has a large user base. The GlobalWatchlist extension, used for managing global watchlists, is the entry point for this attack. The severity of the vulnerability depends on the specific configuration of the MediaWiki instance and user permissions.
The XSS vulnerability in the GlobalWatchlist extension arises from improper neutralization of user input during web page generation. An attacker could exploit this by injecting malicious JavaScript code into input fields of the extension. This code would then execute in the browser of any user visiting the affected page. The most likely exploitation context would be through manipulation of parameters in URLs or by injecting code into text fields displayed on the page. The success of exploitation depends on the attacker's ability to trick users into visiting the malicious page or interacting with compromised content.
Exploit Status
EPSS
0.06% (19% percentiel)
CISA SSVC
The solution to CVE-2026-39933 is to update the GlobalWatchlist extension to version 1.45 or higher. Versions 1.43 and 1.44 have also been patched. The update can be performed through the MediaWiki extension manager. It is crucial to perform a full backup of the site before applying any updates. Additionally, review the GlobalWatchlist extension configuration to ensure best security practices are being utilized. Monitoring server logs for suspicious activity can also help detect and prevent attacks. Applying security patches is a fundamental practice for maintaining system security.
Actualice la extensión GlobalWatchlist a la versión 1.45 o superior. Esta versión corrige la vulnerabilidad de XSS al neutralizar correctamente la entrada durante la generación de la página web. Asegúrese de realizar una copia de seguridad de su instalación de MediaWiki antes de aplicar la actualización.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
If you are using the GlobalWatchlist extension in a version prior to 1.45, you are likely affected. Review your server logs for suspicious activity.
Isolate the affected site, back up your data, and apply the security update as soon as possible. Consider consulting with a security expert.
No, a MediaWiki update alone does not fix this issue. You must specifically update the GlobalWatchlist extension.
You can find more information about CVE-2026-39933 in vulnerability databases such as the National Vulnerability Database (NVD).
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.