Cross-Site Scripting Vulnerability in Wikimedia Foundation's Mediawiki Cargo Extension
CVE-2025-62671

6.9MEDIUM

Key Information:

Vendor

The Wikimedia Foundation

Status
Mediawiki - Cargo Extension
Vendor
CVE Published:
18 October 2025

What is CVE-2025-62671?

A Cross-Site Scripting (XSS) vulnerability exists in the Wikimedia Foundation's Mediawiki Cargo Extension, which improperly neutralizes input during web page generation. This flaw allows for stored XSS attacks, potentially enabling an attacker to inject malicious scripts that execute in the context of users' browsers. If exploited, this vulnerability could lead to unauthorized actions and theft of sensitive information. The affected version is the master branch of the Cargo Extension.

Affected Version(s)

Mediawiki - Cargo Extension master

References

https://phabricator.wikimedia.org/T402147
https://gerrit.wikimedia.org/r/1179707

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

SomeRandomDeveloper
JSON
.
CVE-2025-62671 : Cross-Site Scripting Vulnerability in Wikimedia Foundation's Mediawiki Cargo Extension