[IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.43.7/1.44.4/1.45.2)

[Scott Bassett via MediaWiki-announce <mediawiki-announce AT lists.wikimedia.org>]

Greetings-


With the security/maintenance release of MediaWiki 1.43.7/1.44.4/1.45.2, we
would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:


ReportIncident
+ (T414582, CVE-2026-5762) - ReportIncident DiscussionTools integration
causes slow requests with occasional timeouts on large talk pages
https://gerrit.wikimedia.org/r/q/I05d7f65c57d9aa1b70cdb159c4291ac28c60b4dd


ProofreadPage
+ (T406088, CVE-2026-39838) - ProofreadPage improperly sanitizes multiline
styles using Sanitizer::checkCSS
https://gerrit.wikimedia.org/r/q/Idd51e18479b32b7176b43ff74ca1c49d6bdd0628


Cargo
+ (T416271, CVE-2026-39839) - Stored XSS through URLs in Cargo's map format
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237957
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237977


Cargo
+ (T416368, CVE-2026-39840) - CSS injection in multiple Cargo display
formats
https://gerrit.wikimedia.org/r/c/1237966


Cargo
+ (T416389, CVE-2026-39841) - Stored XSS through list fields on Cargo's
page values and Special:CargoTables
https://gerrit.wikimedia.org/r/c/1237973


Cargo
+ (T416402, CVE-2026-39837) - Stored XSS through the dynamic table format
in Cargo
https://gerrit.wikimedia.org/r/c/1237979


WikiLove
+(T416502, CVE-2026-22711) - Stored XSS through system messages in WikiLove
https://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3


CentralAuth
+(T418122, CVE-2026-39937) - Global vanishing does not completely remove
user email
https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e


GlobalWatchlist
+(T418179, CVE-2026-39933) - Multiple XSS vulnerabilities in GlobalWatchlist
https://gerrit.wikimedia.org/r/q/I1fc7b7e1d234b0aaf9f7d782a65da1451577587e


GrowthExperiments
+(T418222, CVE-2026-39934) - ReassignMenteesJob runs as an infinite loop
https://gerrit.wikimedia.org/r/c/1243874


CampaignEvents
+(T418254, CVE-2026-39935) - Stored XSS through system messages
https://gerrit.wikimedia.org/r/c/1249320


Score
+(T419186, CVE-2026-39936) - Stored XSS due to usage of non-reserved data
attributes
https://gerrit.wikimedia.org/r/q/I1fb2913bc32328cbc4ecd4b4ad4a4788fb98c56c


RenderBlocking
+(GHSA-4h5r-8rjm-496r, CVE-2026-30977) - Stored XSS in renderblocking-css
with Inline Assets mode
https://github.com/lihaohong6/RenderBlocking/commit/096fc47dad9dca153b02cba3.
..


The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security AT wikimedia.org
or file a security task within Phabricator [3]. CVE JSON references can be
found on Gitlab [4].


[1] https://phabricator.wikimedia.org/T411394
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
[4] https://gitlab.wikimedia.org/repos/security/wikimedia-cve-assignments

-- 
Scott Bassett
sbassett AT wikimedia.org
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org