Stored XSS in Wikimedia Foundation MediaWiki Cargo Extension
CVE-2026-39841

6.3MEDIUM

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Cargo Extension
Vendor: CVE Published:; 7 April 2026

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2026-39841?

A vulnerability in the MediaWiki Cargo Extension of Wikimedia Foundation allows for Stored Cross-Site Scripting (XSS) due to improper handling of script-related HTML tags in web pages. This flaw, present in versions prior to 3.8.7, can be exploited to inject malicious scripts, potentially compromising user interactions and data integrity within affected installations.

Affected Version(s)

Mediawiki - Cargo Extension 0 < 3.8.7

References

https://phabricator.wikimedia.org/T416389

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Car...

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Alex44019

CVE-2026-39841 Data

JSON