Stored XSS Vulnerability in WikiWorks Mediawiki Cargo Extension
CVE-2026-39837

6.3MEDIUM

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Cargo Extension
Vendor: CVE Published:; 7 April 2026

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2026-39837?

A vulnerability exists in the WikiWorks Mediawiki - Cargo Extension due to improper neutralization of script-related HTML tags. This flaw enables attackers to execute stored cross-site scripting (XSS) attacks, which can compromise the integrity of web pages and affect users accessing affected installations. Users of the Cargo Extension prior to version 3.8.7 are vulnerable and are advised to update their software and implement security best practices to mitigate potential risks.

Affected Version(s)

Mediawiki - Cargo Extension 0 < 3.8.7

References

https://phabricator.wikimedia.org/T416402

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Car...

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

SomeRandomDeveloper

CVE-2026-39837 Data

JSON