CVE-2026-30977 Overview
CVE-2026-30977 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the RenderBlocking extension for MediaWiki. This extension allows interface administrators to specify render-blocking CSS and JavaScript for wiki pages. Prior to version 0.1.1, the extension is vulnerable to Stored XSS in the renderblocking-css component when Inline Assets mode is enabled.
The vulnerability requires specific conditions to be exploited: the configuration variable $wgRenderBlockingInlineAssets must be set to true, and the attacker must possess editsitecss user rights. While these prerequisites limit the attack surface, successful exploitation could allow a privileged attacker to inject persistent malicious scripts into wiki pages.
Critical Impact
Authenticated attackers with interface administrator privileges can inject persistent malicious JavaScript that executes in the context of other users viewing affected wiki pages.
Affected Products
- RenderBlocking MediaWiki Extension versions prior to 0.1.1
- MediaWiki installations with RenderBlocking extension and $wgRenderBlockingInlineAssets = true
- Systems where users have editsitecss permissions
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30977 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30977
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in how the RenderBlocking extension handles inline CSS and JavaScript content when injecting it into the page output.
The root issue stems from the use of Html::rawElement() to insert user-controlled CSS and JavaScript content directly into the page's HTML head section. This method does not perform proper sanitization or encoding of the input, allowing malicious script content to be interpreted and executed by browsers.
When Inline Assets mode is enabled ($wgRenderBlockingInlineAssets = true), the extension takes CSS content from site configuration pages and embeds it directly into the rendered HTML. An attacker with editsitecss privileges can craft malicious CSS or JavaScript that, when processed by Html::rawElement(), results in script execution in visitors' browsers.
Root Cause
The vulnerability originates in the addInlineAssets() method within includes/RenderBlockingHooks.php. The function used Html::rawElement() to construct <style> and <script> tags, which passes content through without proper sanitization. This approach trusts the input content implicitly, violating the security principle of input validation for web content.
Attack Vector
The attack requires network access and involves an authenticated attacker with elevated privileges (editsitecss rights). The attacker would:
- Obtain or possess editsitecss user rights on the target MediaWiki installation
- Ensure the target wiki has $wgRenderBlockingInlineAssets set to true
- Edit the site CSS configuration to include malicious JavaScript payload disguised as or embedded within CSS content
- When any user visits a page rendered with the RenderBlocking extension, the malicious script executes in their browser context
// Security patch in includes/RenderBlockingHooks.php
// Source: https://github.com/lihaohong6/RenderBlocking/commit/096fc47dad9dca153b02cba3db81f412c87fb2be
private function addInlineAssets( OutputPage $out, string $css, string $js ): void {
if ( $css ) {
- $out->addHeadItem( 'renderblocking-css', Html::rawElement( 'style', [], $css ) );
+ $out->addHeadItem( 'renderblocking-css', Html::inlineStyle( $css ) );
}
if ( $js ) {
- $out->addHeadItem( 'renderblocking-js', Html::rawElement( 'script', [], $js ) );
+ $out->addHeadItem( 'renderblocking-js', Html::inlineScript( $js ) );
}
}
The fix replaces Html::rawElement() with MediaWiki's safer Html::inlineStyle() and Html::inlineScript() methods, which properly sanitize content before insertion into the DOM.
Detection Methods for CVE-2026-30977
Indicators of Compromise
- Unusual or obfuscated content in MediaWiki site CSS configuration pages
- Unexpected JavaScript or encoded script patterns within CSS files edited by users with editsitecss privileges
- Browser console errors or unexpected network requests originating from wiki pages
- User reports of unexpected behavior when viewing wiki pages
Detection Strategies
- Review audit logs for modifications to site CSS pages by users with editsitecss permissions
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Monitor for changes to the MediaWiki:Common.css and related configuration pages
- Deploy web application firewalls (WAF) with rules to detect XSS patterns in CSS content
Monitoring Recommendations
- Enable verbose logging for MediaWiki page edits, particularly for system namespace pages
- Configure alerts for modifications to site-wide CSS and JavaScript configuration pages
- Regularly audit users with elevated permissions such as editsitecss and interface-admin
- Implement file integrity monitoring on MediaWiki extension directories
How to Mitigate CVE-2026-30977
Immediate Actions Required
- Upgrade the RenderBlocking extension to version 0.1.1 or later immediately
- Audit all users with editsitecss permissions and remove unnecessary access
- Review recent changes to site CSS configuration for potentially malicious content
- Consider temporarily disabling Inline Assets mode by setting $wgRenderBlockingInlineAssets = false
Patch Information
The vulnerability has been fixed in RenderBlocking version 0.1.1. The patch is available through the GitHub Release v0.1.1. Administrators should update their MediaWiki extensions to this version or later to remediate the vulnerability.
The specific security fix can be reviewed in the GitHub Commit Details. Additional information is available in the GitHub Security Advisory GHSA-4h5r-8rjm-496r.
Workarounds
- Disable Inline Assets mode by setting $wgRenderBlockingInlineAssets = false in LocalSettings.php
- Restrict editsitecss permissions to only trusted administrators
- Implement strict Content Security Policy headers to limit script execution sources
- Consider disabling the RenderBlocking extension entirely until the patch can be applied
# Configuration example - Disable Inline Assets mode in LocalSettings.php
# Add the following line to your MediaWiki LocalSettings.php file:
$wgRenderBlockingInlineAssets = false;
# Verify the extension version after updating:
php maintenance/showSiteStats.php | grep -i "render"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
