Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-58028— Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets

AI Predicted 5.4 Difficulty: Easy EPSS 0.23% · P13

Affected Version Matrix 2

VendorProductVersion RangeStatus
Wikimedia FoundationCentralAuth*< 1.46.0, 1.45.4, 1.44.6, 1.43.9affected
Wikimedia FoundationMediaWiki*< 1.46.0, 1.45.4, 1.44.6, 1.43.9affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-58028

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation CentralAuth. This vulnerability is associated with program files includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, includes/LogFormatter/PermissionChangeLogFormatter.Php. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9; CentralAuth: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wikimedia MediaWiki 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wikimedia MediaWiki是美国Wikimedia基金会开源的一套自由免费的基于网络的Wiki引擎。该产品可用于部署内部的知识管理和内容管理系统。 Wikimedia MediaWiki 1.46.0之前版本、1.45.4之前版本、1.44.6之前版本和1.43.9之前版本存在跨站脚本漏洞,该漏洞源于对页面生成过程中输入的中和不当,可能导致跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Wikimedia FoundationMediaWiki * ~ 1.46.0, 1.45.4, 1.44.6, 1.43.9 -
Wikimedia FoundationCentralAuth * ~ 1.46.0, 1.45.4, 1.44.6, 1.43.9 -

II. Public POCs for CVE-2026-58028

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-58028

登录查看更多情报信息。

Other References for CVE-2026-58028 (1)

Same Patch Batch · Wikimedia Foundation · 2026-07-01 · 18 CVEs total

CVE-2026-58038Stored XSS through javascript URLs in SVGs generated by EasyTimeline
CVE-2026-8857Full RCE using EasyTimeline Extension
CVE-2026-13706UrlShortener extension url validation can be bypassed due to difference between php url pa
CVE-2026-13707Session fixation attacks on improperly configured OAuth 1.0a tools
CVE-2026-58034Stored XSS through a system message when blocking a temporary account that's related to ot
CVE-2026-58029Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata
CVE-2026-58036Users API leaks whether privileged users have their user groups disabled for lack of 2FA
CVE-2026-58030SyntaxHighlight stored XSS via unsanitized 'linelinks' attribute
CVE-2026-58033"Total number of distinct authors" statistic at action=info does not exclude revisions whe
CVE-2026-58037Core log entries for exceptions and XSS issues in log entry formatting code that may be ca
CVE-2026-58027QueryAbuseFilter API can be used to see the hit count of private filters, which is hidden
CVE-2026-58031Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected
CVE-2026-58032mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html
CVE-2026-58024API identification of users on private wikis
CVE-2026-58025Remote Code Execution via Unsafe Deserialization in LogItem Import
CVE-2026-58026$wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces
CVE-2026-58035Stored XSS through a system message in the codex version of Special:Block

IV. Related Vulnerabilities

V. Comments for CVE-2026-58028

No comments yet


Leave a comment