Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58519

CVE-2026-58519: MediaWiki Cargo Extension XSS Vulnerability

CVE-2026-58519 is a stored cross-site scripting flaw in MediaWiki Cargo Extension that enables attackers to inject malicious scripts. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-58519 Overview

CVE-2026-58519 is a stored cross-site scripting (XSS) vulnerability in the Wikimedia Foundation MediaWiki Cargo Extension. The flaw stems from improper neutralization of input during web page generation [CWE-79]. It affects all Cargo Extension versions prior to 3.9.1.

An attacker can inject malicious script content that persists in wiki pages generated by the extension. When other users view the affected pages, the stored payload executes in their browsers. This enables session hijacking, credential theft, and unauthorized actions performed under victim privileges.

Critical Impact

Authenticated or unauthenticated attackers can store JavaScript payloads that execute against every user viewing the affected Cargo-generated pages, including administrators.

Affected Products

  • Wikimedia Foundation MediaWiki Cargo Extension versions prior to 3.9.1
  • MediaWiki installations using the Cargo Extension for data storage and querying
  • Wiki farms and public wikis that expose Cargo query output to end users

Discovery Timeline

  • 2026-07-01 - CVE-2026-58519 published to the National Vulnerability Database
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-58519

Vulnerability Analysis

The Cargo Extension enables MediaWiki editors to store and query structured data across wiki pages. The extension fails to sanitize user-controlled input before rendering it into HTML output. Attackers with page-edit privileges can inject script content into Cargo-tracked fields.

When the Cargo Extension renders query results or table output, the malicious payload is delivered to viewers without proper encoding. The stored nature of the flaw increases exposure because a single injection persists across sessions and users. Every subsequent page render replays the payload in visitors' browsers.

Because the payload runs in the security context of the wiki origin, it inherits access to authenticated session cookies and CSRF tokens. Attackers can chain the XSS to escalate against administrators who view compromised pages.

Root Cause

The root cause is improper output encoding in the Cargo Extension's rendering routines. User-supplied field values reach the HTML output path without being neutralized for script contexts. This matches the pattern described in [CWE-79] for stored XSS. The fix in version 3.9.1 addresses the encoding gap in affected rendering paths.

Attack Vector

The vulnerability is exploitable over the network with low attack complexity and no privileges beyond standard wiki editing. Exploitation requires no user interaction beyond viewing an affected page. See the Wikimedia Gerrit Code Review and the Wikimedia Phabricator Task for technical details of the fix.

No verified public proof-of-concept code is currently available. The vulnerability manifests when Cargo renders stored field values into HTML without contextual escaping.

Detection Methods for CVE-2026-58519

Indicators of Compromise

  • Unexpected <script>, onerror, onload, or javascript: tokens stored in Cargo table fields.
  • Wiki page revisions containing HTML entities or encoded payloads in fields that should hold plain text.
  • Outbound browser requests from wiki users to unfamiliar domains referenced by injected scripts.

Detection Strategies

  • Audit Cargo database tables for field values containing HTML or JavaScript syntax using SQL queries against the cargo__* tables.
  • Review MediaWiki page revision history for edits that introduce unusual markup into Cargo-declared fields.
  • Deploy Content Security Policy (CSP) violation reporting to surface script execution from untrusted inline sources.

Monitoring Recommendations

  • Log and alert on edits to templates and pages that define Cargo storage declarations.
  • Monitor authenticated administrator sessions for anomalous API actions following page views.
  • Correlate web server access logs with Cargo query endpoints to identify reconnaissance patterns.

How to Mitigate CVE-2026-58519

Immediate Actions Required

  • Upgrade the MediaWiki Cargo Extension to version 3.9.1 or later on all wiki installations.
  • Audit existing Cargo table content for injected payloads and purge or sanitize affected records.
  • Review recent edits from untrusted accounts and revert changes that introduced suspicious markup.

Patch Information

The Wikimedia Foundation resolved the issue in Cargo Extension version 3.9.1. Administrators should apply the update through their standard MediaWiki extension deployment process. The corresponding code change is available in the Wikimedia Gerrit Code Review, and additional context is tracked in the Wikimedia Phabricator Task.

Workarounds

  • Restrict Cargo Extension editing privileges to trusted user groups until the patch is applied.
  • Enforce a strict Content Security Policy that blocks inline script execution on the wiki origin.
  • Temporarily disable the Cargo Extension on public-facing wikis where upgrade cannot occur immediately.
bash
# Upgrade the Cargo Extension via git in the MediaWiki extensions directory
cd /var/www/mediawiki/extensions/Cargo
git fetch --tags
git checkout 3.9.1
php /var/www/mediawiki/maintenance/update.php --quick

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.