Wikimedia Foundation MediaWiki
Moderate fix3 remedies
cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*
Moderate fix3 remedies
- < 1.43.7
- < 1.44.4
- < 1.45.2
Wikimedia Foundation MediaWiki Content-Type Misconfiguration Vulnerability in ActionEntryPoint
Vulnerability
Patched
A vulnerability exists in Wikimedia Foundation MediaWiki versions prior to 1.43.7, 1.44.4, and 1.45.2. The issue arises in the ActionEntryPoint component, where the 'action=raw' request for a 'Special:Mypage' subpage is incorrectly served with a 'Content-Type' of 'text/html' instead of the requested 'text/javascript'. This misconfiguration can be exploited to execute arbitrary JavaScript in the context of the user's session.
Impact
Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's session, potentially leading to session hijacking or other malicious actions.
Reproduction
To reproduce this vulnerability, request a 'Special:Mypage' subpage with 'action=raw' and 'ctype=text/javascript'. The response will incorrectly be 'text/html', allowing for the execution of JavaScript if the content is evaluated.
Remediation
Users can update to MediaWiki versions 1.43.7, 1.44.4, or 1.45.2, where this vulnerability has been fixed.
Added: May 11, 2026, 6:45 PM
Updated: May 11, 2026, 6:45 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
1.7exploitability
7.3remediation
7.7relevance
8.0threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.