Greetings-

With the security/maintenance release of MediaWiki 1.43.9/1.44.6/1.45.4, we
would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:

UrlShortener
+ (T418533, CVE-2026-13706) - UrlShortener extension url validation can be
bypassed due to difference between php url parsing and WHATWG
https://gerrit.wikimedia.org/r/q/I64268dda19ea9dfa048b3e2212a682d53c2a59d6

RedirectManager
+ (T423826, CVE-2026-58518) - RedirectManager's API does not require a CSRF
token
https://gerrit.wikimedia.org/r/1275494

Cargo
+ (T424140, CVE-2026-58519) - Stored XSS through Cargo's map format
https://gerrit.wikimedia.org/r/c/1277612

UrlShortener
+ (T418431, CVE-2026-58520) - UrlShortener defaults to ineffective
validation open to third-party redirects
https://gerrit.wikimedia.org/r/1306769

CentralAuth
+ (T422306, CVE-2026-58028) - Pretty-printed API output combined with
centralauthtoken allows XSS with certain gadgets
https://gerrit.wikimedia.org/r/q/Idb42ab1cf685ef145b78701784909c590d758917

StructuredDiscussions
+ (T424285) - Flow ships Handlebars 3.0.0 with known security
vulnerabilities. See https://security.snyk.io/package/npm/handlebars/3.0.0
for more details
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Flow/+/1277782

Timeline
+ (T426631, CVE-2026-8857) - Full RCE using EasyTimeline Extension
https://gerrit.wikimedia.org/r/q/Ic2f3aa24922e6d44d063b76630cc888016ba4c74
https://gerrit.wikimedia.org/r/q/Ia19cbe8c80fa5a765abca68305254c15e817bfac

Timeline
+ (T427611, CVE-2026-58038) - Stored XSS through javascript URLs in SVGs
generated by EasyTimeline
https://gerrit.wikimedia.org/r/q/Ia61203fcd4913ce97fd6c05ea908d3910c213ff6

Maps
+ (GHSA-4h7g-5542-v3fc, CVE-2026-52854) - Stored XSS through the overlays
parameter in the display_map parser function
https://github.com/ProfessionalWiki/Maps/security/advisories/GHSA-4h7g-5542-v3fc
https://github.com/ProfessionalWiki/Maps/commit/737a993fc2f40499e9bb22198fd1d56c25613806

Cargo
+ (T428274, CVE-2026-58521) - SQLi in Cargo extension via year range filter
https://gerrit.wikimedia.org/r/1298854

OAuth
+(T428324, CVE-2026-13707) - Session fixation attacks on improperly
configured OAuth 1.0a tools
https://gerrit.wikimedia.org/r/q/Ife0b4bf16761c01bdb0e91a29f1fb94de380c73e

EmbedVideo (fork)
+(GHSA-c29q-5xm7-5p62, CVE-2026-55690) - Stored XSS via unsanitized service
name in exception text
https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-c29q-5xm7-5p62
https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/9215564bf28a0ceb40be550a55ab78efc0accc56

EmbedVideo (fork)
+(GHSA-v65j-hff3-753c, CVE-2026-57440) - Stored XSS via malformed src url
with $wgEmbedVideoRequireConsent disabled
https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-v65j-hff3-753c
https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84

EmbedVideo (fork)
+(GHSA-5c7p-g73q-rpg5, CVE-2026-55692) - Stored XSS via malformed src url
with $wgEmbedVideoRequireConsent enabled
https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-5c7p-g73q-rpg5
https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84

EmbedVideo (fork)
+(GHSA-7h5p-637f-jfr7, CVE-2026-55691) - Stored XSS via unsanitized class
passed to template
https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-7h5p-637f-jfr7
https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84

WikiLambda
+(T428833, CVE-2026-58517) - Blocked users can create and edit WikiLambda
objects
https://gerrit.wikimedia.org/r/1305376

Charts
+(T430548, CVE-2026-14358) - Stored XSS in Wikimedia Chart pie tooltip via
Data:*.tab field title
https://gerrit.wikimedia.org/r/q/Ibdaa7c852ae83f562e84dddc9c96ad64e2152210

Cargo
+(T422774, CVE-2026-14363) - Cargo Extension: SQLi in Special:Drilldown
https://gerrit.wikimedia.org/r/c/1269701
https://gerrit.wikimedia.org/r/c/1279498

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact [email protected]
or file a security task within Phabricator [3]. CVE JSON references can be
found on Gitlab [4].

[1] https://phabricator.wikimedia.org/T421273
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
[4] https://gitlab.wikimedia.org/repos/security/wikimedia-cve-assignments
_______________________________________________
Wikitech-l mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

Reply via email to