PT-2026-31044 · Wikimedia Foundation · Mediawiki - Campaignevents Extension
Daimona
·
Published
2026-04-07
·
Updated
2026-04-08
·
CVE-2026-39935
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Mediawiki - CampaignEvents Extension versions 1.43.7, 1.44.4, and 1.45.2
Description
The Wikimedia Foundation Mediawiki - CampaignEvents Extension is susceptible to a cross-site scripting (XSS) issue due to improper input neutralization during web page generation. This allows for the injection of malicious scripts into web pages viewed by other users.
Recommendations
Update to a newer version of the Mediawiki - CampaignEvents Extension that addresses this issue. As a temporary workaround, carefully sanitize all user-supplied input before rendering it in web pages.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mediawiki - Campaignevents Extension