CVE-2026-58038
UnknownCVSS 0.0Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
Cross-Site Scripting (XSS) vulnerability in the Timeline extension for MediaWiki. The flaw is due to improper input neutralization during web page generation in includes/Timeline.php and scripts/EasyTimeline.pl.
Risk Assessment
An attacker can inject malicious JavaScript code that executes in the victim's browser, potentially leading to session theft, redirection to malicious sites, or data theft.
Recommendation
Immediately update the Timeline extension to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9 (depending on your branch).
Original NVD description (English source)
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation timeline. This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl. This issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

