—

CVE-2026-39839PATCHED

wikimedia foundation · mediawiki - cargo extension

Stored XSS through URLs in Cargo's map format

Description

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

Affected Products

Vendor	Product	Versions
wikimedia foundation	mediawiki - cargo extension	0, 3.8.6

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	mediawiki	cert_advisory	90%

References

Related News (2 articles)

Tier B

BSI Advisories6h ago

[NEU] [hoch] MediaWiki Erweiterungen: Mehrere Schwachstellen ermöglichen Cross-Site Scripting

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-39839 | Wikimedia Cargo Extension up to 3.8.6 on Mediawiki cross site scripting

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.8.7

CWECWE-80

PublishedApr 7, 2026

Last enriched2d agov2

Trending Score45

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-39840EXP

CSS injection in multiple Cargo display formats

Trending: 64

NONECVE-2026-39934EXP

Growth Experiments ReassignMenteesJob runs as an infinite loop

Trending: 59

NONECVE-2026-5762EXP

ReportIncident DiscussionTools integration causes slow requests

Trending: 58

HIGHCVE-2026-39837

Stored XSS through the dynamic table format in Cargo

Trending: 45

HIGHCVE-2026-39841

Stored XSS through list fields on Cargo's page values and Special:CargoTables

Trending: 45

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 7, 2026

Discovered by ZDM

Apr 7, 2026

Patch Available

Apr 7, 2026

Updated: affectedVersions, severity

Apr 7, 2026

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated affected versions to 3.8.6, changed severity to HIGH, and noted that no exploit exists.

affectedVersionsseverity

via VulDB

v12d ago

Initial creation