Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-30917

CVE-2026-30917: MediaWiki Bucket Extension XSS Vulnerability

CVE-2026-30917 is a stored XSS vulnerability in the MediaWiki Bucket extension affecting PAGE type fields. Attackers can inject malicious scripts that execute when users view Bucket namespace pages. Learn about affected versions and mitigation.

Published:

CVE-2026-30917 Overview

CVE-2026-30917 is a stored Cross-Site Scripting (XSS) vulnerability in the Bucket MediaWiki extension, which is used to store and retrieve structured data on wiki articles. Prior to version 2.1.1, the extension fails to properly sanitize user input in Bucket table fields configured with a PAGE type. This allows attackers to inject malicious scripts that execute in the browsers of users who view the corresponding Bucket namespace page.

Critical Impact

Attackers can execute arbitrary JavaScript in the context of authenticated MediaWiki users, potentially leading to session hijacking, credential theft, unauthorized wiki modifications, and phishing attacks targeting wiki administrators.

Affected Products

  • MediaWiki Bucket Extension versions prior to 2.1.1
  • MediaWiki installations using Bucket tables with PAGE type fields
  • Wikis utilizing the Bucket namespace functionality

Discovery Timeline

  • 2026-03-10 - CVE CVE-2026-30917 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-30917

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The Bucket extension provides functionality for storing structured data within MediaWiki articles through configurable table fields. When a field is configured with the PAGE type, the extension processes user-supplied input to create links to wiki pages.

The root issue lies in the extension's failure to properly encode or sanitize user input before rendering it in the HTML output. When a malicious user inserts specially crafted content containing JavaScript into a PAGE type field, this content is stored in the database without adequate validation. Subsequently, when any user navigates to the Bucket namespace page displaying that table, the malicious script executes within their browser session.

The attack is network-accessible and requires no authentication, making it exploitable by anonymous users on wikis that allow public editing. The stored nature of this XSS means the payload persists and affects all subsequent visitors to the compromised page.

Root Cause

The vulnerability stems from insufficient input sanitization in the Bucket extension's handling of PAGE type fields. The extension did not properly escape HTML special characters or implement Content Security Policy protections when rendering user-controlled data. This allowed script tags and event handlers to be injected and executed in the context of the wiki domain.

Attack Vector

The attack is executed through the following sequence:

  1. An attacker identifies a Bucket table with a PAGE type field on the target MediaWiki installation
  2. The attacker submits malicious JavaScript payload through the PAGE type input field
  3. The extension stores the unsanitized input in the MediaWiki database
  4. When legitimate users browse to the Bucket namespace page containing the compromised table, the malicious script executes in their browser
  5. The script can then access session cookies, perform actions on behalf of the user, or redirect them to malicious sites

Due to the lack of verified code examples, readers should refer to the GitHub Security Advisory GHSA-8jrp-37wc-5v7c for detailed technical information about the vulnerability mechanics and proof-of-concept examples.

Detection Methods for CVE-2026-30917

Indicators of Compromise

  • Unexpected JavaScript code or HTML tags present in Bucket table PAGE type field values in the database
  • User reports of unusual browser behavior or redirects when viewing Bucket namespace pages
  • Audit logs showing modifications to Bucket tables by unknown or suspicious users
  • Cookie exfiltration attempts or unusual network requests originating from wiki pages

Detection Strategies

  • Review Bucket table contents in the MediaWiki database for entries containing <script>, javascript:, event handlers (e.g., onerror, onload), or encoded variants
  • Implement Web Application Firewall (WAF) rules to detect XSS patterns in requests to MediaWiki endpoints
  • Enable and monitor MediaWiki's built-in abuse filter for suspicious content patterns
  • Deploy browser-based XSS detection through Content Security Policy violation reporting

Monitoring Recommendations

  • Configure MediaWiki logging to capture all Bucket table modifications with full user attribution
  • Implement real-time alerting for Content Security Policy violations on wiki pages
  • Monitor for anomalous session activity that may indicate successful XSS exploitation
  • Regularly audit Bucket namespace pages for unauthorized script content

How to Mitigate CVE-2026-30917

Immediate Actions Required

  • Upgrade the MediaWiki Bucket extension to version 2.1.1 or later immediately
  • Audit all existing Bucket tables with PAGE type fields for malicious content
  • Temporarily disable Bucket extension functionality if upgrade cannot be performed immediately
  • Review recent edit logs for suspicious modifications to Bucket tables

Patch Information

The vulnerability has been fixed in Bucket extension version 2.1.1. The fix implements proper input sanitization for PAGE type fields to prevent script injection. The security patches are available in the following commits:

Administrators should update their Bucket extension installation through the standard MediaWiki extension update process.

Workarounds

  • Implement strict Content Security Policy headers to prevent inline script execution on the wiki
  • Restrict editing permissions for Bucket tables to trusted users only until patching is complete
  • Use MediaWiki's AbuseFilter extension to block submissions containing script tags or event handlers
  • Temporarily convert PAGE type fields to safer field types if extension upgrade is delayed
bash
# Configuration example
# Add to LocalSettings.php to implement restrictive CSP headers
$wgCSPHeader = [
    'default-src' => "'self'",
    'script-src' => "'self'",
    'style-src' => "'self' 'unsafe-inline'",
    'object-src' => "'none'",
    'frame-ancestors' => "'self'"
];

# Restrict Bucket namespace editing to autoconfirmed users
$wgNamespaceProtection[NS_BUCKET] = ['autoconfirmed'];

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne