CVE-2026-30917 Overview
CVE-2026-30917 is a stored Cross-Site Scripting (XSS) vulnerability in the Bucket MediaWiki extension, which is used to store and retrieve structured data on wiki articles. Prior to version 2.1.1, the extension fails to properly sanitize user input in Bucket table fields configured with a PAGE type. This allows attackers to inject malicious scripts that execute in the browsers of users who view the corresponding Bucket namespace page.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of authenticated MediaWiki users, potentially leading to session hijacking, credential theft, unauthorized wiki modifications, and phishing attacks targeting wiki administrators.
Affected Products
- MediaWiki Bucket Extension versions prior to 2.1.1
- MediaWiki installations using Bucket tables with PAGE type fields
- Wikis utilizing the Bucket namespace functionality
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30917 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30917
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The Bucket extension provides functionality for storing structured data within MediaWiki articles through configurable table fields. When a field is configured with the PAGE type, the extension processes user-supplied input to create links to wiki pages.
The root issue lies in the extension's failure to properly encode or sanitize user input before rendering it in the HTML output. When a malicious user inserts specially crafted content containing JavaScript into a PAGE type field, this content is stored in the database without adequate validation. Subsequently, when any user navigates to the Bucket namespace page displaying that table, the malicious script executes within their browser session.
The attack is network-accessible and requires no authentication, making it exploitable by anonymous users on wikis that allow public editing. The stored nature of this XSS means the payload persists and affects all subsequent visitors to the compromised page.
Root Cause
The vulnerability stems from insufficient input sanitization in the Bucket extension's handling of PAGE type fields. The extension did not properly escape HTML special characters or implement Content Security Policy protections when rendering user-controlled data. This allowed script tags and event handlers to be injected and executed in the context of the wiki domain.
Attack Vector
The attack is executed through the following sequence:
- An attacker identifies a Bucket table with a PAGE type field on the target MediaWiki installation
- The attacker submits malicious JavaScript payload through the PAGE type input field
- The extension stores the unsanitized input in the MediaWiki database
- When legitimate users browse to the Bucket namespace page containing the compromised table, the malicious script executes in their browser
- The script can then access session cookies, perform actions on behalf of the user, or redirect them to malicious sites
Due to the lack of verified code examples, readers should refer to the GitHub Security Advisory GHSA-8jrp-37wc-5v7c for detailed technical information about the vulnerability mechanics and proof-of-concept examples.
Detection Methods for CVE-2026-30917
Indicators of Compromise
- Unexpected JavaScript code or HTML tags present in Bucket table PAGE type field values in the database
- User reports of unusual browser behavior or redirects when viewing Bucket namespace pages
- Audit logs showing modifications to Bucket tables by unknown or suspicious users
- Cookie exfiltration attempts or unusual network requests originating from wiki pages
Detection Strategies
- Review Bucket table contents in the MediaWiki database for entries containing <script>, javascript:, event handlers (e.g., onerror, onload), or encoded variants
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in requests to MediaWiki endpoints
- Enable and monitor MediaWiki's built-in abuse filter for suspicious content patterns
- Deploy browser-based XSS detection through Content Security Policy violation reporting
Monitoring Recommendations
- Configure MediaWiki logging to capture all Bucket table modifications with full user attribution
- Implement real-time alerting for Content Security Policy violations on wiki pages
- Monitor for anomalous session activity that may indicate successful XSS exploitation
- Regularly audit Bucket namespace pages for unauthorized script content
How to Mitigate CVE-2026-30917
Immediate Actions Required
- Upgrade the MediaWiki Bucket extension to version 2.1.1 or later immediately
- Audit all existing Bucket tables with PAGE type fields for malicious content
- Temporarily disable Bucket extension functionality if upgrade cannot be performed immediately
- Review recent edit logs for suspicious modifications to Bucket tables
Patch Information
The vulnerability has been fixed in Bucket extension version 2.1.1. The fix implements proper input sanitization for PAGE type fields to prevent script injection. The security patches are available in the following commits:
Administrators should update their Bucket extension installation through the standard MediaWiki extension update process.
Workarounds
- Implement strict Content Security Policy headers to prevent inline script execution on the wiki
- Restrict editing permissions for Bucket tables to trusted users only until patching is complete
- Use MediaWiki's AbuseFilter extension to block submissions containing script tags or event handlers
- Temporarily convert PAGE type fields to safer field types if extension upgrade is delayed
# Configuration example
# Add to LocalSettings.php to implement restrictive CSP headers
$wgCSPHeader = [
'default-src' => "'self'",
'script-src' => "'self'",
'style-src' => "'self' 'unsafe-inline'",
'object-src' => "'none'",
'frame-ancestors' => "'self'"
];
# Restrict Bucket namespace editing to autoconfirmed users
$wgNamespaceProtection[NS_BUCKET] = ['autoconfirmed'];
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
