CVE-2026-14358
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
The Charts extension for MediaWiki contains an XSS vulnerability due to improper input neutralization during page generation. Affected versions are before 1.43.9, 1.44.6, and 1.45.4.
Risk Assessment
An attacker can inject malicious scripts that execute in the victim's browser, potentially leading to session theft, account takeover, or data leakage.
Recommendation
Immediately update the Charts extension to version 1.43.9, 1.44.6, or 1.45.4 depending on your MediaWiki branch.
Original NVD description (English source)
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting (XSS). This issue affects Mediawiki - Charts Extension: from * before 1.43.9,1.44.6,1.45.4.

