—

CVE-2026-39840EXPLOITEDPATCHED

wikimedia foundation · cargo

CSS injection in multiple Cargo display formats

Description

A vulnerability classified as problematic was found in Wikimedia Cargo Extension up to 3.8.6 on Mediawiki. The manipulation results in cross site scripting. This vulnerability is known as CVE-2026-39840.

Affected Products

Vendor	Product	Versions
wikimedia foundation	cargo	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	mediawiki	cert_advisory	90%

References

Related News (2 articles)

Tier B

BSI Advisories6h ago

[NEU] [hoch] MediaWiki Erweiterungen: Mehrere Schwachstellen ermöglichen Cross-Site Scripting

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-39840 | Wikimedia Cargo Extension up to 3.8.6 on Mediawiki cross site scripting (EUVD-2026-19929)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.8.7

CWECWE-79

PublishedApr 7, 2026

Last enriched2d agov2

Trending Score64

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-39934EXP

Growth Experiments ReassignMenteesJob runs as an infinite loop

Trending: 59

NONECVE-2026-5762EXP

ReportIncident DiscussionTools integration causes slow requests

Trending: 58

HIGHCVE-2026-39839

Stored XSS through URLs in Cargo's map format

Trending: 45

HIGHCVE-2026-39837

Stored XSS through the dynamic table format in Cargo

Trending: 45

HIGHCVE-2026-39841

Stored XSS through list fields on Cargo's page values and Special:CargoTables

Trending: 45

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 7, 2026

Discovered by ZDM

Apr 7, 2026

Actively Exploited

Apr 7, 2026

Patch Available

Apr 7, 2026

Updated: description, severity, activelyExploited

Apr 7, 2026

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated description with new details, changed severity to HIGH, and noted that the exploit is not available but the vulnerability is actively exploited.

descriptionseverityactivelyExploited

via VulDB

v12d ago

Initial creation