CVE-2026-58037
UnknownCVSS 0.0Exploitation Probability (EPSS)
Low risk31th percentile — higher than 31% of all known CVEs
Summary
A cross-site scripting (XSS) vulnerability was found in MediaWiki due to improper input neutralization during page generation. It affects multiple files including Language.php and BlockLogFormatter.php, and impacts all versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9.
Risk Assessment
An attacker can inject malicious JavaScript code that executes in the victim's browser, potentially leading to session theft, defacement, or sensitive data exfiltration.
Recommendation
Immediately upgrade MediaWiki to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9, depending on your branch.
Original NVD description (English source)
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Language/Language.Php, includes/Logging/BlockLogFormatter.Php, includes/Logging/LogFormatter.Php, includes/Logging/PatrolLogFormatter.Php, includes/Logging/RenameuserLogFormatter.Php, includes/Logging/TagLogFormatter.Php, includes/Specials/SpecialVersion.Php. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

