Cross-Site Scripting Flaw in Wikimedia Foundation Mediawiki - Cargo Extension
CVE-2026-39839

6.3MEDIUM

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Cargo Extension
Vendor: CVE Published:; 7 April 2026

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2026-39839?

The Mediawiki - Cargo Extension of the Wikimedia Foundation is susceptible to a Cross-Site Scripting (XSS) vulnerability due to improper neutralization of script-related HTML tags in web pages. This can lead to stored XSS attacks, where malicious scripts are stored and executed when users access impacted pages. Affected versions are those prior to 3.8.7, making it imperative for users to update their installations to ensure protection against this security issue.

Affected Version(s)

Mediawiki - Cargo Extension 0 < 3.8.7

References

https://phabricator.wikimedia.org/T416271

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Car...

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

SomeRandomDeveloper

Yaron Koren

CVE-2026-39839 Data

JSON