CVE Catalog

CVE-2026-58037

UnknownCVSS 0.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile — higher than 31% of all known CVEs

Summary

A cross-site scripting (XSS) vulnerability was found in MediaWiki due to improper input neutralization during page generation. It affects multiple files including Language.php and BlockLogFormatter.php, and impacts all versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9.

Risk Assessment

An attacker can inject malicious JavaScript code that executes in the victim's browser, potentially leading to session theft, defacement, or sensitive data exfiltration.

Recommendation

Immediately upgrade MediaWiki to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9, depending on your branch.

Original NVD description (English source)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Language/Language.Php, includes/Logging/BlockLogFormatter.Php, includes/Logging/LogFormatter.Php, includes/Logging/PatrolLogFormatter.Php, includes/Logging/RenameuserLogFormatter.Php, includes/Logging/TagLogFormatter.Php, includes/Specials/SpecialVersion.Php. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS