Vulnerability Summary Vulnerability Overview CVE ID: CVE-2026-39839 Title: Stored XSS via URLs in Cargo's map format (Stored XSS in Cargo Map Format via URLs) Description: An attacker can execute a stored Cross-Site Scripting (XSS) attack by using links as URL parameters within the Cargo extension, leveraging the map output format. Affected Components Component: MediaWiki Cargo Extension Versions: Cargo 3.8.6 (and earlier), MediaWiki 1.46.0-alpha Remediation Status: Fixed (Closed/Resolved) Fix Details: Added URL validation logic for the 'maps' format in the file to prevent malicious script injection. Proof of Concept (PoC) 1. Create Template (Template:XSS): 2. Create Page (Containing Malicious Data): 3. Access Specific URL to Trigger Vulnerability: (Note: After accessing the URL above, clicking the markers generated on the map will trigger )*