Cross-Site Scripting Vulnerability in Wikimedia Foundation MediaWiki ProofreadPage Extension
CVE-2026-39838

6.9MEDIUM

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Proofreadpage Extension
Vendor: CVE Published:; 7 April 2026

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2026-39838?

The MediaWiki ProofreadPage Extension is vulnerable to a cross-site scripting (XSS) flaw due to improper neutralization of input during web page generation. This vulnerability allows attackers to execute scripts in the context of a user's session by targeting non-script elements. This can potentially lead to data theft and other malicious activities if exploited.

Affected Version(s)

MediaWiki - ProofreadPage Extension 1.43.7

MediaWiki - ProofreadPage Extension 1.44.4

MediaWiki - ProofreadPage Extension 1.45.2

References

https://phabricator.wikimedia.org/T406088

https://gerrit.wikimedia.org/r/q/Idd51e18479b32b7176b43ff...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

SomeRandomDeveloper

CVE-2026-39838 Data

JSON