CVE Catalog

CVE-2026-58521

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A SQL injection vulnerability has been discovered in the Cargo extension for MediaWiki due to improper neutralization of special elements used in SQL commands. This flaw allows an attacker to inject malicious SQL code, potentially leading to unauthorized database access.

Risk Assessment

An attacker could exploit this vulnerability to read, modify, or delete data in the MediaWiki database, compromising data confidentiality and integrity, and potentially gaining control over the system.

Recommendation

Immediately update the Cargo extension to version 1.43.9, 1.44.6, 1.45.4 or later, which includes a fix for the SQL injection vulnerability.

Original NVD description (English source)

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS