Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14358

CVE-2026-14358: MediaWiki Charts Extension XSS Vulnerability

CVE-2026-14358 is a cross-site scripting flaw in MediaWiki Charts Extension that allows attackers to inject malicious scripts. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-14358 Overview

CVE-2026-14358 is a stored cross-site scripting (XSS) vulnerability in the Wikimedia Foundation MediaWiki Charts Extension. The flaw stems from improper neutralization of input during web page generation [CWE-79]. Attackers can inject malicious script content that executes in the browsers of users viewing affected wiki pages. The vulnerability affects Charts Extension versions before 1.43.9, 1.44.6, and 1.45.4.

Critical Impact

Successful exploitation enables client-side script execution in the context of the MediaWiki site, allowing session theft, credential harvesting, and unauthorized actions on behalf of authenticated users including administrators.

Affected Products

  • MediaWiki Charts Extension versions before 1.43.9
  • MediaWiki Charts Extension versions before 1.44.6
  • MediaWiki Charts Extension versions before 1.45.4

Discovery Timeline

  • 2026-07-01 - CVE-2026-14358 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-14358

Vulnerability Analysis

The Charts Extension for MediaWiki renders chart visualizations from user-supplied data within wiki pages. The extension fails to properly sanitize or encode input values before they are inserted into the generated HTML output. When a user views a wiki page containing a crafted chart definition, the injected script executes within the browser under the origin of the MediaWiki site.

Because MediaWiki instances often permit unauthenticated or low-privileged users to edit pages, an attacker can plant malicious payloads that trigger every time other users load the affected content. This stored XSS pattern amplifies the impact across the user base of the wiki.

Root Cause

The root cause is missing or incomplete output encoding in the chart rendering pipeline of the Charts Extension. User-controlled fields — such as chart labels, titles, or data attributes — flow into the DOM without adequate HTML entity encoding or context-aware escaping, violating the guidance associated with [CWE-79].

Attack Vector

Exploitation occurs over the network without authentication or user interaction beyond viewing the affected page. An attacker submits a chart definition containing a JavaScript payload through a wiki edit. When any user browses the page, the payload executes in that user's session context. Refer to the Wikimedia Phabricator Task and the Wikimedia Gerrit Commit for technical details of the fix.

Detection Methods for CVE-2026-14358

Indicators of Compromise

  • Wiki page revisions containing chart markup with HTML tags such as <script>, onerror=, onload=, or javascript: URIs embedded in chart parameters.
  • Unexpected outbound requests from user browsers to attacker-controlled domains when loading pages that include charts.
  • Anomalous session activity or privilege changes following views of pages with the Charts Extension.

Detection Strategies

  • Audit recent revisions of pages using the Charts Extension for suspicious payload patterns in chart definitions.
  • Enable and review Content Security Policy (CSP) violation reports for inline script execution blocked on wiki pages.
  • Correlate web server logs with RecentChanges entries to identify edits introducing chart content followed by mass page views.

Monitoring Recommendations

  • Monitor MediaWiki AbuseFilter logs for edits containing script-like patterns in chart syntax.
  • Track administrator and privileged account sessions for unexpected API calls originating from browser contexts.
  • Alert on CSP report-uri submissions referencing pages that embed the Charts Extension.

How to Mitigate CVE-2026-14358

Immediate Actions Required

  • Upgrade the MediaWiki Charts Extension to version 1.43.9, 1.44.6, or 1.45.4 depending on the deployed MediaWiki branch.
  • Review and revert any suspicious page revisions that added chart content since the extension was installed.
  • Rotate session tokens and require re-authentication for privileged accounts if exploitation is suspected.

Patch Information

The Wikimedia Foundation released fixed versions of the Charts Extension. Deploy 1.43.9, 1.44.6, or 1.45.4 from the official Wikimedia distribution channels. The remediation is tracked in the Wikimedia Gerrit Commit and Wikimedia Phabricator Task.

Workarounds

  • Disable the Charts Extension in LocalSettings.php until the upgrade can be applied.
  • Restrict edit permissions on pages that use chart syntax to trusted user groups.
  • Deploy a strict Content Security Policy that disallows inline scripts and untrusted script sources to reduce XSS impact.
bash
# Configuration example: disable the Charts Extension in LocalSettings.php
# Comment out or remove the extension load line
# wfLoadExtension( 'Charts' );

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.