Cross-Site Scripting Vulnerability in Wikimedia Foundation's Mediawiki GlobalWatchlist Extension
CVE-2026-39933

10CRITICAL

Key Information:

Vendor: The Wikimedia Foundation
Status: Mediawiki - Globalwatchlist Extension
Vendor: CVE Published:; 7 April 2026

🔔 Create The Wikimedia Foundation Vulnerability Alert

What is CVE-2026-39933?

An improper neutralization of user input during the webpage generation in the Mediawiki GlobalWatchlist Extension of the Wikimedia Foundation has led to a Cross-Site Scripting (XSS) vulnerability. This security issue can allow attackers to inject malicious scripts into web pages viewed by users, potentially compromising sensitive information or redirecting users to harmful sites. The vulnerability specifically affects non-release branches of the extension, highlighting the importance of maintaining up-to-date releases to mitigate such security risks.

Affected Version(s)

Mediawiki - GlobalWatchlist Extension 1.43.7

Mediawiki - GlobalWatchlist Extension 1.44.4

Mediawiki - GlobalWatchlist Extension 1.45.2

References

https://phabricator.wikimedia.org/T418179

https://gerrit.wikimedia.org/r/q/I1fc7b7e1d234b0aaf9f7d78...

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

SomeRandomDeveloper

CVE-2026-39933 Data

JSON