CVE-2026-58028
UnknownCVSS 0.0Exploitation Probability (EPSS)
Low risk31th percentile — higher than 31% of all known CVEs
Summary
An XSS vulnerability in MediaWiki and CentralAuth allows an attacker to inject malicious scripts into pages generated by the API. The issue affects multiple files including ApiFormatBase.php and ApiHelp.php.
Risk Assessment
An attacker can steal user sessions, redirect users to malicious sites, or perform other actions in their browser context, compromising data confidentiality and integrity.
Recommendation
Immediately update MediaWiki to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9 and CentralAuth to the corresponding patched versions.
Original NVD description (English source)
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation CentralAuth. This vulnerability is associated with program files includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, includes/LogFormatter/PermissionChangeLogFormatter.Php. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9; CentralAuth: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

