CVE-2026-0671

Published: Jan 8, 2026Modified: Jan 15, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39.

Affected (4)

Products: Wikimedia: Mediawiki Extensions Uploadwizard

Wikimedia

1 product

Mediawiki Extensions Uploadwizard

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Wikimedia Mediawiki Extensions Uploadwizard	Version 1.39
Wikimedia Mediawiki Extensions Uploadwizard	Version 1.43
Wikimedia Mediawiki Extensions Uploadwizard	Version 1.44
Wikimedia Mediawiki Extensions Uploadwizard	Version 1.45

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://gerrit.wikimedia.org/r/q/I16de2211594ea9a686868ad7789f9879bf981fa1

Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc

Patch

https://phabricator.wikimedia.org/T407157

Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc

ExploitIssue TrackingVendor Advisory

Timeline

No history available yet.