5.4

CVE-2026-22710

Exploit

Stored XSS through autocomment system messages in Wikibase

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WikimediaWikibase Version1.39 SwPlatformmediawiki
WikimediaWikibase Version1.43 SwPlatformmediawiki
WikimediaWikibase Version1.44 SwPlatformmediawiki
WikimediaWikibase Version1.45 SwPlatformmediawiki
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.067
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
c4f26cc8-17ff-4c99-b5e2-38fc1793eacc 2.3 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://phabricator.wikimedia.org/T409737
Exploit
Issue Tracking
https://gerrit.wikimedia.org/r/q/I39d0074b2ad022b6efe6ab3dd8c8ec0f86c6c466
Patch