PT-2026-54897 · Mediawiki · Centralauth+1

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-58028

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.46.0 MediaWiki versions prior to 1.45.4 MediaWiki versions prior to 1.44.6 MediaWiki versions prior to 1.43.9 CentralAuth versions prior to 1.46.0 CentralAuth versions prior to 1.45.4 CentralAuth versions prior to 1.44.6 CentralAuth versions prior to 1.43.9
Description Improper neutralization of input during web page generation leads to Cross-site Scripting (XSS), a condition where malicious scripts are injected into trusted websites. This issue occurs when pretty-printed API output is combined with centralauthtoken and certain gadgets. The flaw is associated with the following program files: includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, and includes/LogFormatter/PermissionChangeLogFormatter.Php.
Recommendations Update MediaWiki to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9 depending on the current release branch. Update CentralAuth to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9 depending on the current release branch.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58028

Affected Products

Centralauth
Mediawiki