CVE Catalog

CVE-2026-58038

UnknownCVSS 0.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

Cross-Site Scripting (XSS) vulnerability in the Timeline extension for MediaWiki. The flaw is due to improper input neutralization during web page generation in includes/Timeline.php and scripts/EasyTimeline.pl.

Risk Assessment

An attacker can inject malicious JavaScript code that executes in the victim's browser, potentially leading to session theft, redirection to malicious sites, or data theft.

Recommendation

Immediately update the Timeline extension to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9 (depending on your branch).

Original NVD description (English source)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation timeline. This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl. This issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS