Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-58032— mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html

AI Predicted 5.4 Difficulty: Moderate EPSS 0.44% · P35

Affected Version Matrix 1

VendorProductVersion RangeStatus
Wikimedia FoundationMediaWiki*< 1.46.0, 1.45.4, 1.44.6, 1.43.9affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-58032

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Api/index.Js. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Wikimedia FoundationMediaWiki * ~ 1.46.0, 1.45.4, 1.44.6, 1.43.9 -

II. Public POCs for CVE-2026-58032

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-58032

登录查看更多情报信息。

Other References for CVE-2026-58032 (1)

Same Patch Batch · Wikimedia Foundation · 2026-07-01 · 18 CVEs total

CVE-2026-58033"Total number of distinct authors" statistic at action=info does not exclude revisions whe
CVE-2026-8857Full RCE using EasyTimeline Extension
CVE-2026-13706UrlShortener extension url validation can be bypassed due to difference between php url pa
CVE-2026-13707Session fixation attacks on improperly configured OAuth 1.0a tools
CVE-2026-58034Stored XSS through a system message when blocking a temporary account that's related to ot
CVE-2026-58028Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets
CVE-2026-58029Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata
CVE-2026-58036Users API leaks whether privileged users have their user groups disabled for lack of 2FA
CVE-2026-58030SyntaxHighlight stored XSS via unsanitized 'linelinks' attribute
CVE-2026-58037Core log entries for exceptions and XSS issues in log entry formatting code that may be ca
CVE-2026-58038Stored XSS through javascript URLs in SVGs generated by EasyTimeline
CVE-2026-58027QueryAbuseFilter API can be used to see the hit count of private filters, which is hidden
CVE-2026-58031Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected
CVE-2026-58024API identification of users on private wikis
CVE-2026-58025Remote Code Execution via Unsafe Deserialization in LogItem Import
CVE-2026-58026$wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces
CVE-2026-58035Stored XSS through a system message in the codex version of Special:Block

IV. Related Vulnerabilities

V. Comments for CVE-2026-58032

No comments yet


Leave a comment