Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-58034— Stored XSS through a system message when blocking a temporary account that's related to other temporary accounts

AI Predicted 5.4 Difficulty: Moderate EPSS 0.14% · P4

Affected Version Matrix 1

VendorProductVersion RangeStatus
Wikimedia FoundationCheckUser1.46.0-rc.0< 1.46.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-58034

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Stored XSS through a system message when blocking a temporary account that's related to other temporary accounts
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue. This issue affects CheckUser: from 1.46.0-rc.0 before 1.46.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wikimedia Foundation CheckUser 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wikimedia Foundation CheckUser是Wikimedia Foundation的用户权限审计工具。 Wikimedia Foundation CheckUser 1.46.0之前版本存在跨站脚本漏洞,该漏洞源于网页生成期间输入中和不当(跨站脚本),此漏洞与程序文件modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue相关。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Wikimedia FoundationCheckUser 1.46.0-rc.0 ~ 1.46.0 -

II. Public POCs for CVE-2026-58034

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-58034

登录查看更多情报信息。

Patches & Fixes for CVE-2026-58034 (1)

Same Patch Batch · Wikimedia Foundation · 2026-07-01 · 18 CVEs total

CVE-2026-58038Stored XSS through javascript URLs in SVGs generated by EasyTimeline
CVE-2026-8857Full RCE using EasyTimeline Extension
CVE-2026-13706UrlShortener extension url validation can be bypassed due to difference between php url pa
CVE-2026-13707Session fixation attacks on improperly configured OAuth 1.0a tools
CVE-2026-58028Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets
CVE-2026-58029Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata
CVE-2026-58036Users API leaks whether privileged users have their user groups disabled for lack of 2FA
CVE-2026-58030SyntaxHighlight stored XSS via unsanitized 'linelinks' attribute
CVE-2026-58033"Total number of distinct authors" statistic at action=info does not exclude revisions whe
CVE-2026-58037Core log entries for exceptions and XSS issues in log entry formatting code that may be ca
CVE-2026-58027QueryAbuseFilter API can be used to see the hit count of private filters, which is hidden
CVE-2026-58031Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected
CVE-2026-58032mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html
CVE-2026-58024API identification of users on private wikis
CVE-2026-58025Remote Code Execution via Unsafe Deserialization in LogItem Import
CVE-2026-58026$wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces
CVE-2026-58035Stored XSS through a system message in the codex version of Special:Block

IV. Related Vulnerabilities

V. Comments for CVE-2026-58034

No comments yet


Leave a comment