Greetings- With the security/maintenance release of MediaWiki 1.43.9/1.44.6/1.45.4, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
UrlShortener + (T418533, CVE-2026-13706) - UrlShortener extension url validation can be bypassed due to difference between php url parsing and WHATWG https://gerrit.wikimedia.org/r/q/I64268dda19ea9dfa048b3e2212a682d53c2a59d6 RedirectManager + (T423826, CVE-2026-58518) - RedirectManager's API does not require a CSRF token https://gerrit.wikimedia.org/r/1275494 Cargo + (T424140, CVE-2026-58519) - Stored XSS through Cargo's map format https://gerrit.wikimedia.org/r/c/1277612 UrlShortener + (T418431, CVE-2026-58520) - UrlShortener defaults to ineffective validation open to third-party redirects https://gerrit.wikimedia.org/r/1306769 CentralAuth + (T422306, CVE-2026-58028) - Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets https://gerrit.wikimedia.org/r/q/Idb42ab1cf685ef145b78701784909c590d758917 StructuredDiscussions + (T424285) - Flow ships Handlebars 3.0.0 with known security vulnerabilities. See https://security.snyk.io/package/npm/handlebars/3.0.0 for more details https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Flow/+/1277782 Timeline + (T426631, CVE-2026-8857) - Full RCE using EasyTimeline Extension https://gerrit.wikimedia.org/r/q/Ic2f3aa24922e6d44d063b76630cc888016ba4c74 https://gerrit.wikimedia.org/r/q/Ia19cbe8c80fa5a765abca68305254c15e817bfac Timeline + (T427611, CVE-2026-58038) - Stored XSS through javascript URLs in SVGs generated by EasyTimeline https://gerrit.wikimedia.org/r/q/Ia61203fcd4913ce97fd6c05ea908d3910c213ff6 Maps + (GHSA-4h7g-5542-v3fc, CVE-2026-52854) - Stored XSS through the overlays parameter in the display_map parser function https://github.com/ProfessionalWiki/Maps/security/advisories/GHSA-4h7g-5542-v3fc https://github.com/ProfessionalWiki/Maps/commit/737a993fc2f40499e9bb22198fd1d56c25613806 Cargo + (T428274, CVE-2026-58521) - SQLi in Cargo extension via year range filter https://gerrit.wikimedia.org/r/1298854 OAuth +(T428324, CVE-2026-13707) - Session fixation attacks on improperly configured OAuth 1.0a tools https://gerrit.wikimedia.org/r/q/Ife0b4bf16761c01bdb0e91a29f1fb94de380c73e EmbedVideo (fork) +(GHSA-c29q-5xm7-5p62, CVE-2026-55690) - Stored XSS via unsanitized service name in exception text https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-c29q-5xm7-5p62 https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/9215564bf28a0ceb40be550a55ab78efc0accc56 EmbedVideo (fork) +(GHSA-v65j-hff3-753c, CVE-2026-57440) - Stored XSS via malformed src url with $wgEmbedVideoRequireConsent disabled https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-v65j-hff3-753c https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84 EmbedVideo (fork) +(GHSA-5c7p-g73q-rpg5, CVE-2026-55692) - Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-5c7p-g73q-rpg5 https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84 EmbedVideo (fork) +(GHSA-7h5p-637f-jfr7, CVE-2026-55691) - Stored XSS via unsanitized class passed to template https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-7h5p-637f-jfr7 https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84 WikiLambda +(T428833, CVE-2026-58517) - Blocked users can create and edit WikiLambda objects https://gerrit.wikimedia.org/r/1305376 Charts +(T430548, CVE-2026-14358) - Stored XSS in Wikimedia Chart pie tooltip via Data:*.tab field title https://gerrit.wikimedia.org/r/q/Ibdaa7c852ae83f562e84dddc9c96ad64e2152210 Cargo +(T422774, CVE-2026-14363) - Cargo Extension: SQLi in Special:Drilldown https://gerrit.wikimedia.org/r/c/1269701 https://gerrit.wikimedia.org/r/c/1279498 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact [email protected] or file a security task within Phabricator [3]. CVE JSON references can be found on Gitlab [4]. [1] https://phabricator.wikimedia.org/T421273 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs [4] https://gitlab.wikimedia.org/repos/security/wikimedia-cve-assignments
_______________________________________________ Wikitech-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
