CVE-2026-14358 Overview
CVE-2026-14358 is a stored cross-site scripting (XSS) vulnerability in the Wikimedia Foundation MediaWiki Charts Extension. The flaw stems from improper neutralization of input during web page generation [CWE-79]. Attackers can inject malicious script content that executes in the browsers of users viewing affected wiki pages. The vulnerability affects Charts Extension versions before 1.43.9, 1.44.6, and 1.45.4.
Critical Impact
Successful exploitation enables client-side script execution in the context of the MediaWiki site, allowing session theft, credential harvesting, and unauthorized actions on behalf of authenticated users including administrators.
Affected Products
- MediaWiki Charts Extension versions before 1.43.9
- MediaWiki Charts Extension versions before 1.44.6
- MediaWiki Charts Extension versions before 1.45.4
Discovery Timeline
- 2026-07-01 - CVE-2026-14358 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-14358
Vulnerability Analysis
The Charts Extension for MediaWiki renders chart visualizations from user-supplied data within wiki pages. The extension fails to properly sanitize or encode input values before they are inserted into the generated HTML output. When a user views a wiki page containing a crafted chart definition, the injected script executes within the browser under the origin of the MediaWiki site.
Because MediaWiki instances often permit unauthenticated or low-privileged users to edit pages, an attacker can plant malicious payloads that trigger every time other users load the affected content. This stored XSS pattern amplifies the impact across the user base of the wiki.
Root Cause
The root cause is missing or incomplete output encoding in the chart rendering pipeline of the Charts Extension. User-controlled fields — such as chart labels, titles, or data attributes — flow into the DOM without adequate HTML entity encoding or context-aware escaping, violating the guidance associated with [CWE-79].
Attack Vector
Exploitation occurs over the network without authentication or user interaction beyond viewing the affected page. An attacker submits a chart definition containing a JavaScript payload through a wiki edit. When any user browses the page, the payload executes in that user's session context. Refer to the Wikimedia Phabricator Task and the Wikimedia Gerrit Commit for technical details of the fix.
Detection Methods for CVE-2026-14358
Indicators of Compromise
- Wiki page revisions containing chart markup with HTML tags such as <script>, onerror=, onload=, or javascript: URIs embedded in chart parameters.
- Unexpected outbound requests from user browsers to attacker-controlled domains when loading pages that include charts.
- Anomalous session activity or privilege changes following views of pages with the Charts Extension.
Detection Strategies
- Audit recent revisions of pages using the Charts Extension for suspicious payload patterns in chart definitions.
- Enable and review Content Security Policy (CSP) violation reports for inline script execution blocked on wiki pages.
- Correlate web server logs with RecentChanges entries to identify edits introducing chart content followed by mass page views.
Monitoring Recommendations
- Monitor MediaWiki AbuseFilter logs for edits containing script-like patterns in chart syntax.
- Track administrator and privileged account sessions for unexpected API calls originating from browser contexts.
- Alert on CSP report-uri submissions referencing pages that embed the Charts Extension.
How to Mitigate CVE-2026-14358
Immediate Actions Required
- Upgrade the MediaWiki Charts Extension to version 1.43.9, 1.44.6, or 1.45.4 depending on the deployed MediaWiki branch.
- Review and revert any suspicious page revisions that added chart content since the extension was installed.
- Rotate session tokens and require re-authentication for privileged accounts if exploitation is suspected.
Patch Information
The Wikimedia Foundation released fixed versions of the Charts Extension. Deploy 1.43.9, 1.44.6, or 1.45.4 from the official Wikimedia distribution channels. The remediation is tracked in the Wikimedia Gerrit Commit and Wikimedia Phabricator Task.
Workarounds
- Disable the Charts Extension in LocalSettings.php until the upgrade can be applied.
- Restrict edit permissions on pages that use chart syntax to trusted user groups.
- Deploy a strict Content Security Policy that disallows inline scripts and untrusted script sources to reduce XSS impact.
# Configuration example: disable the Charts Extension in LocalSettings.php
# Comment out or remove the extension load line
# wfLoadExtension( 'Charts' );
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

