PT-2026-54897 · Mediawiki · Centralauth+1
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-58028
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
MediaWiki versions prior to 1.46.0
MediaWiki versions prior to 1.45.4
MediaWiki versions prior to 1.44.6
MediaWiki versions prior to 1.43.9
CentralAuth versions prior to 1.46.0
CentralAuth versions prior to 1.45.4
CentralAuth versions prior to 1.44.6
CentralAuth versions prior to 1.43.9
Description
Improper neutralization of input during web page generation leads to Cross-site Scripting (XSS), a condition where malicious scripts are injected into trusted websites. This issue occurs when pretty-printed API output is combined with
centralauthtoken and certain gadgets. The flaw is associated with the following program files: includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, and includes/LogFormatter/PermissionChangeLogFormatter.Php.Recommendations
Update MediaWiki to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9 depending on the current release branch.
Update CentralAuth to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9 depending on the current release branch.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Centralauth
Mediawiki