CVE-2026-58035 Overview
CVE-2026-58035 is a Cross-Site Scripting (XSS) vulnerability in Wikimedia Foundation MediaWiki. The flaw resides in the resources/src/mediawiki.Special.Block/SpecialBlock.Vue component used by the Special:Block interface. The vulnerability stems from improper neutralization of input during web page generation, tracked under [CWE-79]. An authenticated attacker with high privileges can inject script content that executes in another user's browser session when the victim interacts with crafted input. The issue affects MediaWiki installations that expose the Vue-based Special:Block administrative interface.
Critical Impact
Authenticated high-privilege attackers can inject client-side scripts through the Special:Block Vue component, requiring user interaction to trigger execution in a victim's browser context.
Affected Products
- Wikimedia Foundation MediaWiki
- MediaWiki resources/src/mediawiki.Special.Block/SpecialBlock.Vue component
- Installations exposing the Special:Block administrative interface
Discovery Timeline
- 2026-07-01 - CVE-2026-58035 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-58035
Vulnerability Analysis
The vulnerability is a stored or reflected Cross-Site Scripting (XSS) issue classified under [CWE-79]. It affects the Vue-based front-end component SpecialBlock.Vue, which powers the Special:Block administrative page in MediaWiki. This page allows administrators to block users and IP addresses from editing.
The component fails to properly neutralize input data before rendering it into the DOM. When user-controlled values reach the Vue template rendering path without sufficient sanitization or output encoding, an attacker can craft input that is interpreted as HTML or JavaScript rather than plain text.
Exploitation requires an authenticated account with elevated privileges, since the Special:Block interface is restricted to users with block permissions. Successful execution runs script in the context of a victim who views the affected interface, enabling session token theft, forced administrative actions, or defacement of administrative UI elements. Refer to the Wikimedia Task T428809 entry for upstream tracking.
Root Cause
The root cause is improper neutralization of input during web page generation within the SpecialBlock.Vue Single-File Component. Data flowing into the template is rendered without adequate escaping, allowing HTML or JavaScript payloads embedded in attacker-controlled fields to be parsed by the browser.
Attack Vector
The attack vector is network-based and requires the attacker to hold high privileges within the MediaWiki instance. Exploitation also requires user interaction, meaning a second user must view or interact with the malicious content in the Special:Block interface. The vulnerability targets the client-side context and does not directly affect confidentiality, integrity, or availability of server-side resources according to the published metrics.
No verified public proof-of-concept code is available. Technical details are described in prose only; consult the upstream Phabricator task for implementation specifics.
Detection Methods for CVE-2026-58035
Indicators of Compromise
- Unexpected <script>, on*= event handlers, or javascript: URIs appearing in stored block reasons, target names, or related fields rendered by Special:Block.
- Anomalous outbound requests originating from administrator browser sessions shortly after visiting the Special:Block page.
- Unexplained privileged actions performed by administrator accounts that recently loaded the Special:Block interface.
Detection Strategies
- Review MediaWiki application logs for unusual input submitted to block-related endpoints by high-privilege accounts.
- Inspect stored block metadata for HTML entities, encoded script fragments, or unexpected Unicode that may indicate injection attempts.
- Deploy Content Security Policy (CSP) reporting to capture script execution violations on administrative pages.
Monitoring Recommendations
- Monitor account activity for administrators submitting block operations containing markup characters such as <, >, and quoting sequences.
- Correlate administrator session activity with CSP violation reports to identify attempted exploitation.
- Track modifications to SpecialBlock.Vue and related resource files for unauthorized changes.
How to Mitigate CVE-2026-58035
Immediate Actions Required
- Apply the latest MediaWiki security update from Wikimedia Foundation once available for your release branch.
- Audit accounts with block privileges and remove unnecessary high-privilege grants.
- Enforce a strict Content Security Policy on administrative pages to limit inline script execution.
Patch Information
Refer to the upstream tracking entry at Wikimedia Task T428809 for patch status and remediation guidance. Administrators should upgrade to a MediaWiki release that includes the fix for the SpecialBlock.Vue component and validate that input rendering paths perform proper output encoding.
Workarounds
- Restrict access to the Special:Block interface to a minimal set of trusted administrators until patched.
- Deploy a Content Security Policy that disallows inline scripts and untrusted script sources on wiki administrative pages.
- Consider temporarily disabling the Vue-based Special:Block interface if a legacy fallback is available in your MediaWiki version.
# Example restrictive Content-Security-Policy header for MediaWiki admin pages
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

