CVE Catalog

CVE-2026-58519

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

A Stored XSS vulnerability in the Cargo extension for MediaWiki allows an attacker to inject a malicious script that is stored on the server and executed in the victim's browser. The issue affects versions before 3.9.1.

Risk Assessment

An attacker can steal user sessions, modify page content, or conduct phishing attacks within the trusted MediaWiki domain, compromising data confidentiality and integrity.

Recommendation

Immediately update the Cargo extension to version 3.9.1 or later, which includes a fix for input neutralization.

Original NVD description (English source)

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS. This issue affects Mediawiki - Cargo Extension: from * before 3.9.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS