Wikimedia Foundation MediaWiki
Moderate fix9 remedies
cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*
Moderate fix9 remedies
- >= 1.27.0, < 1.39.13
- 1.42.7
- 1.43.2
- 1.44.0
Wikimedia MediaWiki Cross-Site Scripting Vulnerability in ApiSandbox
Vulnerability
Patched
A cross-site scripting (XSS) vulnerability has been identified in the Wikimedia Foundation's MediaWiki, specifically within the Special:ApiSandbox page. This issue affects MediaWiki versions 1.27.0 prior to 1.39.13, as well as 1.42.7, 1.43.2, and 1.44.0. The vulnerability arises from improper handling of input during web page generation, allowing users to inject malicious scripts that could be executed in the context of the user's browser.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's browser.
Reproduction
To reproduce this vulnerability, navigate to the Special:ApiSandbox page and enter a specific payload in the text parameter, including an image tag with an 'onerror' attribute. After clicking 'Make request', the injected script will execute, demonstrating the cross-site scripting vulnerability.
Remediation
Users can update to MediaWiki versions 1.39.13, 1.42.7, 1.43.2, or 1.44.0 to address this vulnerability.
Added: Feb 2, 2026, 11:47 PM
Updated: Feb 2, 2026, 11:47 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
1.7exploitability
7.7remediation
7.7relevance
2.6threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.