CVE-2026-14363
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
An SQL injection vulnerability in the Cargo extension for MediaWiki allows an attacker to inject malicious SQL code. The issue affects versions before 1.43.9, 1.44.6, and 1.45.4.
Risk Assessment
An attacker can gain unauthorized access to the database, steal or modify data, leading to a breach of confidentiality and integrity of the system.
Recommendation
Immediately update the Cargo extension to version 1.43.9, 1.44.6, or 1.45.4 depending on the MediaWiki branch in use.
Original NVD description (English source)
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

