Cross-Site Scripting Vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents Extension
CVE-2026-39935

6.9MEDIUM

Key Information:

Vendor: The Wikimedia Foundation
Status: Mediawiki - Campaignevents Extension
Vendor: CVE Published:; 7 April 2026

🔔 Create The Wikimedia Foundation Vulnerability Alert

What is CVE-2026-39935?

An improper neutralization of input during the generation of web pages in the MediaWiki CampaignEvents Extension allows for Cross-Site Scripting (XSS) attacks. This vulnerability can enable an attacker to inject malicious scripts into web pages which could execute in the context of the user’s browser, leading to potential data theft or session hijacking. The affected versions include 1.43.7, 1.44.4, and 1.45.2, posing significant risks to web applications utilizing this extension.

Affected Version(s)

Mediawiki - CampaignEvents Extension 1.43.7

Mediawiki - CampaignEvents Extension 1.44.4

Mediawiki - CampaignEvents Extension 1.45.2

References

https://phabricator.wikimedia.org/T418254

https://gerrit.wikimedia.org/r/c/1249320

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Daimona

CVE-2026-39935 Data

JSON