CVE-2026-58521
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
A SQL injection vulnerability has been discovered in the Cargo extension for MediaWiki due to improper neutralization of special elements used in SQL commands. This flaw allows an attacker to inject malicious SQL code, potentially leading to unauthorized database access.
Risk Assessment
An attacker could exploit this vulnerability to read, modify, or delete data in the MediaWiki database, compromising data confidentiality and integrity, and potentially gaining control over the system.
Recommendation
Immediately update the Cargo extension to version 1.43.9, 1.44.6, 1.45.4 or later, which includes a fix for the SQL injection vulnerability.
Original NVD description (English source)
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

