CVE-2026-34089 Overview
CVE-2026-34089 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Wikimedia Foundation Scribunto extension. Scribunto enables MediaWiki sites to embed Lua scripts inside wiki pages. The flaw affects Scribunto versions from 1.45.0 before 1.45.2. Exploitation requires network access, low privileges, and high attack complexity, which constrains real-world impact. The vulnerability produces low availability impact with no direct confidentiality or integrity loss according to the published CVSS 4.0 vector.
Critical Impact
An authenticated user could leverage crafted Scribunto content to trigger a script-related condition affecting availability on MediaWiki instances running vulnerable Scribunto releases.
Affected Products
- Wikimedia Foundation Scribunto 1.45.0
- Wikimedia Foundation Scribunto releases up to (but not including) 1.45.2
- MediaWiki installations that load the Scribunto extension within the affected range
Discovery Timeline
- 2026-05-11 - CVE-2026-34089 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-34089
Vulnerability Analysis
The vulnerability is classified under [CWE-79], Improper Neutralization of Input During Web Page Generation. Scribunto processes user-controlled module content and renders output back into wiki pages. When the extension fails to neutralize specific input patterns, attacker-controlled markup can influence rendered output. The attack vector is network-based, but the high attack complexity indicates that successful exploitation requires specific conditions beyond a simple request. Low privileges are required, so the attacker needs an account with edit rights on the target wiki. The recorded EPSS probability is 0.052 percent, reflecting limited likelihood of opportunistic exploitation in the next 30 days.
Root Cause
The root cause is insufficient sanitization or encoding of content processed by the Scribunto extension before it is included in HTML output. The fix in Scribunto 1.45.2 addresses the handling path that previously allowed unsanitized content to reach the rendered page context. Refer to the Wikimedia Task T419168 tracking entry for upstream technical detail.
Attack Vector
An authenticated user with edit permissions submits Scribunto module or template content containing crafted payloads. When another user views the rendered page, the unsanitized output is processed by the browser. Because the CVSS 4.0 vector reports VC:N/VI:N/VA:L, the practical impact is limited to an availability condition rather than session theft or data exfiltration. The vulnerability cannot be triggered without an account on the target wiki.
No verified public exploit code is available. The vulnerability mechanism is described in prose per the upstream advisory. See the Wikimedia Task T419168 reference for additional context.
Detection Methods for CVE-2026-34089
Indicators of Compromise
- Edits to Scribunto modules or templates from low-reputation accounts containing unusual HTML or script-like fragments
- Page rendering errors or browser console warnings appearing after specific module edits
- Unexpected entries in MediaWiki RecentChanges involving the Module: namespace on vulnerable installations
Detection Strategies
- Inventory all MediaWiki deployments and identify those running Scribunto between 1.45.0 and 1.45.2
- Review edit history for the Module: and Template: namespaces during the exposure window
- Correlate web server access logs with edit events targeting Scribunto-rendered pages
Monitoring Recommendations
- Enable MediaWiki abuse filter logging for edits to Scribunto modules
- Forward MediaWiki logs to a centralized log platform and alert on anomalous module edits by newly created accounts
- Monitor browser Content Security Policy (CSP) violation reports from authenticated wiki sessions
How to Mitigate CVE-2026-34089
Immediate Actions Required
- Upgrade Scribunto to version 1.45.2 or later on all MediaWiki instances
- Audit edit permissions and revoke editing rights from inactive or untrusted accounts
- Review recent module and template edits for suspicious content and revert as needed
Patch Information
The issue is fixed in Scribunto 1.45.2. Administrators should deploy the patched release through the standard MediaWiki extension update process. Verify the installed version using the Special:Version page after the upgrade. Refer to the Wikimedia Task T419168 advisory for upstream guidance.
Workarounds
- Restrict edit access to the Module: namespace to trusted editors only
- Enforce a strict Content Security Policy on the MediaWiki front end to limit inline script execution
- Disable the Scribunto extension on non-critical wikis until the patch is applied
# Verify and update the Scribunto extension in a MediaWiki deployment
cd /var/www/mediawiki/extensions/Scribunto
git fetch --tags
git checkout 1.45.2
php /var/www/mediawiki/maintenance/update.php --quick
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

