CVE-2026-8857 Overview
CVE-2026-8857 is a code injection vulnerability [CWE-94] affecting the Wikimedia Foundation Timeline extension for MediaWiki. The flaw resides in the program files scripts/EasyTimeline.pl and includes/Timeline.php, which process user-supplied timeline definitions. Authenticated users with low privileges can supply crafted input that the Timeline extension processes as executable code. The issue affects Timeline versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9. The vulnerability is exploitable over the network without user interaction.
Critical Impact
Authenticated attackers can inject code through the Timeline extension processing logic in EasyTimeline.pl and Timeline.php, potentially compromising MediaWiki installations that render timeline markup.
Affected Products
- Wikimedia Foundation Timeline extension versions before 1.46.0
- Wikimedia Foundation Timeline extension versions before 1.45.4 in the 1.45.x branch
- Wikimedia Foundation Timeline extension versions before 1.44.6 in the 1.44.x branch, and before 1.43.9 in the 1.43.x branch
Discovery Timeline
- 2026-07-01 - CVE-2026-8857 published to the National Vulnerability Database (NVD)
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-8857
Vulnerability Analysis
CVE-2026-8857 is classified under CWE-94 (Improper Control of Generation of Code). The Timeline extension for MediaWiki renders graphical timelines by parsing user-supplied markup and passing it to the EasyTimeline.pl Perl script through the includes/Timeline.php PHP wrapper. Insufficient neutralization of directives in the timeline definition allows an attacker to influence the code path executed by the interpreter.
The Exploit Prediction Scoring System (EPSS) currently rates this issue at 0.267 percent probability of exploitation. Wikimedia tracks remediation under Phabricator task T426631. Successful exploitation depends on the target wiki permitting the Timeline extension and allowing low-privileged accounts to submit timeline content.
Root Cause
The root cause is unsafe handling of timeline markup passed from includes/Timeline.php to scripts/EasyTimeline.pl. Input validation and sanitization did not adequately restrict values that alter the generated Perl or shell processing context. As a result, attacker-controlled tokens can be interpreted rather than treated as inert data.
Attack Vector
Exploitation requires network access and a low-privileged authenticated account on a MediaWiki instance running the Timeline extension. The attacker submits a page or edit containing crafted <timeline> markup. When the page is rendered, Timeline.php invokes EasyTimeline.pl, and the malicious input is processed as code. See the Wikimedia Phabricator Task T426631 for technical details. No verified proof-of-concept code has been published.
Detection Methods for CVE-2026-8857
Indicators of Compromise
- Unexpected child processes spawned by the MediaWiki web worker, particularly perl invocations of EasyTimeline.pl with unusual arguments.
- Timeline cache directories or temporary files containing shell metacharacters, backticks, or Perl code fragments in filenames.
- Wiki page revisions that add <timeline> blocks containing unusual command-like tokens, pipes, or system function names.
Detection Strategies
- Audit MediaWiki edit histories for new or modified pages containing <timeline> tags, then correlate with the account's privilege level and creation date.
- Monitor the operating system for process creation events where the parent is the web server user and the child is perl or a subprocess of EasyTimeline.pl.
- Compare installed Timeline extension version against the fixed releases 1.46.0, 1.45.4, 1.44.6, and 1.43.9.
Monitoring Recommendations
- Enable verbose logging in Timeline.php to capture input passed to the Perl backend, and forward these logs to a central SIEM for review.
- Alert on outbound network connections initiated by the MediaWiki process user, since code execution scenarios often include callbacks.
- Track file writes in the Timeline extension's working directory and flag any executable or script content outside expected image outputs.
How to Mitigate CVE-2026-8857
Immediate Actions Required
- Upgrade the Timeline extension to 1.46.0, 1.45.4, 1.44.6, or 1.43.9 depending on your MediaWiki branch.
- Restrict edit permissions on pages that contain <timeline> markup to trusted accounts until patching is complete.
- Review recent edits containing timeline content and revert any suspicious changes introduced by low-privileged users.
Patch Information
Wikimedia has released fixed versions of the Timeline extension: 1.46.0, 1.45.4, 1.44.6, and 1.43.9. Administrators should obtain the patched release from the official Wikimedia distribution channels. Remediation progress is tracked in the Wikimedia Phabricator Task T426631.
Workarounds
- Disable the Timeline extension in LocalSettings.php if upgrading is not immediately feasible.
- Apply an edit filter (AbuseFilter) rule that blocks new revisions containing <timeline> tags from non-trusted user groups.
- Run the MediaWiki web worker under a restricted OS account with no shell, minimal filesystem write access, and outbound network egress controls.
# Configuration example: disable the Timeline extension in LocalSettings.php
# Comment out or remove the following line, then restart the web server
# wfLoadExtension( 'timeline' );
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

