Cross-Site Scripting Vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension
CVE-2026-39840

5.1MEDIUM

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Cargo Extension
Vendor: CVE Published:; 7 April 2026

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2026-39840?

A cross-site scripting (XSS) vulnerability has been identified in the Cargo Extension of the Wikimedia Foundation's Mediawiki platform. This flaw allows attackers to inject malicious scripts into the web pages generated by Mediawiki, specifically targeting non-script elements. This vulnerability poses serious risks, as it can lead to the execution of harmful scripts in the context of unsuspecting users' browsers, potentially compromising sensitive data and user interactions. All users running versions prior to 3.8.7 of the Cargo Extension are advised to upgrade to a patched version promptly to mitigate these security risks.

Affected Version(s)

Mediawiki - Cargo Extension 0 < 3.8.7

References

https://phabricator.wikimedia.org/T416368

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Car...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

SomeRandomDeveloper

Yaron Koren

CVE-2026-39840 Data

JSON