Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34089

CVE-2026-34089: Wikimedia Scribunto XSS Vulnerability

CVE-2026-34089 is a cross-site scripting vulnerability in Wikimedia Foundation Scribunto affecting versions 1.45.0 to 1.45.1. This article covers the technical details, affected versions, security impact, and mitigation steps.

Published:

CVE-2026-34089 Overview

CVE-2026-34089 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Wikimedia Foundation Scribunto extension. Scribunto enables MediaWiki sites to embed Lua scripts inside wiki pages. The flaw affects Scribunto versions from 1.45.0 before 1.45.2. Exploitation requires network access, low privileges, and high attack complexity, which constrains real-world impact. The vulnerability produces low availability impact with no direct confidentiality or integrity loss according to the published CVSS 4.0 vector.

Critical Impact

An authenticated user could leverage crafted Scribunto content to trigger a script-related condition affecting availability on MediaWiki instances running vulnerable Scribunto releases.

Affected Products

  • Wikimedia Foundation Scribunto 1.45.0
  • Wikimedia Foundation Scribunto releases up to (but not including) 1.45.2
  • MediaWiki installations that load the Scribunto extension within the affected range

Discovery Timeline

  • 2026-05-11 - CVE-2026-34089 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-34089

Vulnerability Analysis

The vulnerability is classified under [CWE-79], Improper Neutralization of Input During Web Page Generation. Scribunto processes user-controlled module content and renders output back into wiki pages. When the extension fails to neutralize specific input patterns, attacker-controlled markup can influence rendered output. The attack vector is network-based, but the high attack complexity indicates that successful exploitation requires specific conditions beyond a simple request. Low privileges are required, so the attacker needs an account with edit rights on the target wiki. The recorded EPSS probability is 0.052 percent, reflecting limited likelihood of opportunistic exploitation in the next 30 days.

Root Cause

The root cause is insufficient sanitization or encoding of content processed by the Scribunto extension before it is included in HTML output. The fix in Scribunto 1.45.2 addresses the handling path that previously allowed unsanitized content to reach the rendered page context. Refer to the Wikimedia Task T419168 tracking entry for upstream technical detail.

Attack Vector

An authenticated user with edit permissions submits Scribunto module or template content containing crafted payloads. When another user views the rendered page, the unsanitized output is processed by the browser. Because the CVSS 4.0 vector reports VC:N/VI:N/VA:L, the practical impact is limited to an availability condition rather than session theft or data exfiltration. The vulnerability cannot be triggered without an account on the target wiki.

No verified public exploit code is available. The vulnerability mechanism is described in prose per the upstream advisory. See the Wikimedia Task T419168 reference for additional context.

Detection Methods for CVE-2026-34089

Indicators of Compromise

  • Edits to Scribunto modules or templates from low-reputation accounts containing unusual HTML or script-like fragments
  • Page rendering errors or browser console warnings appearing after specific module edits
  • Unexpected entries in MediaWiki RecentChanges involving the Module: namespace on vulnerable installations

Detection Strategies

  • Inventory all MediaWiki deployments and identify those running Scribunto between 1.45.0 and 1.45.2
  • Review edit history for the Module: and Template: namespaces during the exposure window
  • Correlate web server access logs with edit events targeting Scribunto-rendered pages

Monitoring Recommendations

  • Enable MediaWiki abuse filter logging for edits to Scribunto modules
  • Forward MediaWiki logs to a centralized log platform and alert on anomalous module edits by newly created accounts
  • Monitor browser Content Security Policy (CSP) violation reports from authenticated wiki sessions

How to Mitigate CVE-2026-34089

Immediate Actions Required

  • Upgrade Scribunto to version 1.45.2 or later on all MediaWiki instances
  • Audit edit permissions and revoke editing rights from inactive or untrusted accounts
  • Review recent module and template edits for suspicious content and revert as needed

Patch Information

The issue is fixed in Scribunto 1.45.2. Administrators should deploy the patched release through the standard MediaWiki extension update process. Verify the installed version using the Special:Version page after the upgrade. Refer to the Wikimedia Task T419168 advisory for upstream guidance.

Workarounds

  • Restrict edit access to the Module: namespace to trusted editors only
  • Enforce a strict Content Security Policy on the MediaWiki front end to limit inline script execution
  • Disable the Scribunto extension on non-critical wikis until the patch is applied
bash
# Verify and update the Scribunto extension in a MediaWiki deployment
cd /var/www/mediawiki/extensions/Scribunto
git fetch --tags
git checkout 1.45.2
php /var/www/mediawiki/maintenance/update.php --quick

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.