Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58038

CVE-2026-58038: Wikimedia Timeline XSS Vulnerability

CVE-2026-58038 is a cross-site scripting flaw in Wikimedia Foundation timeline affecting Timeline.php and EasyTimeline.pl files. This vulnerability allows improper input neutralization during web page generation.

Published:

CVE-2026-58038 Overview

CVE-2026-58038 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting the Wikimedia Foundation Timeline extension for MediaWiki. The flaw resides in the includes/Timeline.php and scripts/EasyTimeline.pl program files. Attackers can inject malicious script content that executes in the browsers of users viewing affected timeline pages. The vulnerability affects Timeline versions prior to 1.46.0, 1.45.4, 1.44.6, and 1.43.9. Exploitation requires low-privilege authentication but no user interaction. The Exploit Prediction Scoring System (EPSS) score is 0.24% with a percentile of 15.06 as of July 2026.

Critical Impact

Authenticated attackers can inject arbitrary JavaScript into rendered timeline output, enabling session hijacking, credential theft, and unauthorized wiki actions performed under the identity of viewing users.

Affected Products

  • Wikimedia Foundation Timeline extension versions prior to 1.46.0
  • Wikimedia Foundation Timeline extension versions prior to 1.45.4
  • Wikimedia Foundation Timeline extension versions prior to 1.44.6 and 1.43.9

Discovery Timeline

  • 2026-07-01 - CVE-2026-58038 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-58038

Vulnerability Analysis

The Timeline extension renders visual chronological data for MediaWiki pages. It processes user-supplied wiki markup through the EasyTimeline.pl Perl script and integrates the output via includes/Timeline.php. The extension fails to properly neutralize user input during web page generation, allowing script content to persist in rendered HTML output. Any user viewing an affected timeline triggers execution of injected code within their browser session.

Because MediaWiki-based platforms often host authenticated administrator and editor sessions, XSS attacks against these environments can escalate to account takeover, content manipulation, and lateral movement across federated wiki infrastructure.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. Timeline directives accepted through wiki markup are passed to the rendering pipeline without adequate sanitization or contextual output encoding. Attribute values, text nodes, or SVG-based timeline output can carry attacker-controlled payloads that browsers interpret as active script content.

Attack Vector

Exploitation occurs over the network with low attack complexity. An authenticated user with edit permissions submits crafted timeline markup to a wiki page. When another user renders that page, the malicious payload executes in the victim's browser under the origin of the wiki instance. No user interaction beyond viewing the affected page is required.

The vulnerability manifests within the Timeline extension's rendering path. Refer to the Wikimedia Task T427611 advisory for full technical details on the fix.

Detection Methods for CVE-2026-58038

Indicators of Compromise

  • Unexpected <script> tags, event handlers (onload, onerror, onmouseover), or javascript: URIs within timeline markup revisions
  • Anomalous outbound requests from browsers viewing timeline pages, particularly to third-party domains
  • Unauthorized changes to administrator user preferences or session cookies following visits to specific pages containing <timeline> tags

Detection Strategies

  • Audit MediaWiki page revision history for <timeline> blocks containing HTML entities, encoded scripts, or SVG attributes not typical of timeline syntax
  • Compare rendered timeline HTML against expected output from EasyTimeline.pl to identify injected DOM elements
  • Enable Content Security Policy (CSP) reporting on the wiki origin to detect script execution violations

Monitoring Recommendations

  • Monitor MediaWiki access logs for POST requests to action=edit or action=submit containing timeline markup from newly registered or low-reputation accounts
  • Alert on Timeline extension versions below 1.46.0, 1.45.4, 1.44.6, or 1.43.9 in software inventory scans
  • Track browser console errors and CSP violation reports from users interacting with wiki content

How to Mitigate CVE-2026-58038

Immediate Actions Required

  • Upgrade the Timeline extension to version 1.46.0, 1.45.4, 1.44.6, or 1.43.9 depending on your MediaWiki release branch
  • Review recent edits to pages containing <timeline> markup and revert any suspicious revisions
  • Rotate session tokens and administrator credentials if exploitation is suspected

Patch Information

Wikimedia Foundation has released fixed versions of the Timeline extension: 1.46.0, 1.45.4, 1.44.6, and 1.43.9. Refer to the Wikimedia Task T427611 for patch details and applicable branches.

Workarounds

  • Disable the Timeline extension in LocalSettings.php until the patched version is deployed
  • Restrict edit permissions on pages that use timeline markup to trusted users only
  • Deploy a strict Content Security Policy that blocks inline script execution and unauthorized external resources
bash
# Disable the Timeline extension in LocalSettings.php
# Comment out or remove the following line:
# wfLoadExtension( 'timeline' );

# Verify installed Timeline extension version
grep -r "version" extensions/timeline/extension.json

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.