PT-2026-24343 · Unknown+1 · Renderblocking+1
Gui-Ying233
·
Published
2026-03-10
·
Updated
2026-03-16
·
CVE-2026-30977
CVSS v4.0
2.0
Low
| Vector | AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
MediaWiki RenderBlocking versions prior to 0.1.1
Description
The RenderBlocking extension for MediaWiki allows interface administrators to specify render-blocking CSS and JavaScript. Prior to version 0.1.1, a Stored Cross-Site Scripting (XSS) issue exists in the renderblocking-css component when Inline Assets mode is enabled. This requires
$wgRenderBlockingInlineAssets to be set to true and the user to have editsitecss permissions.Recommendations
Update to RenderBlocking version 0.1.1 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mediawiki
Renderblocking