CVE-2026-58031

NameCVE-2026-58031
DescriptionImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from 1.46.0-rc.0 before 1.46.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)bullseye1:1.35.13-1+deb11u2fixed
bullseye (security)1:1.35.13-1+deb11u7fixed
bookworm, bookworm (security)1:1.39.17-1+deb12u2fixed
trixie (security), trixie1:1.43.8+dfsg-1~deb13u1fixed
forky, sid1:1.43.8+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisource(unstable)(not affected)

Notes

- mediawiki <not-affected> (Only affects 1.46 and later)
https://phabricator.wikimedia.org/T426889
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1299593

Search for package or bug name: Reporting problems