Vulnerability - CVE-2026-39840

›

›vulnerability›CVE-2026-39840

Name

CVE-2026-39840

Source

NVD ( link)Debian ( link)

Description

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

CWEs

Published Date

Apr 7, 2026

Updated Date

Jun 17, 2026

Workaround

-

Advisories

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237966Patch

https://phabricator.wikimedia.org/T416368Exploit

Analysis#

Affected Component

Analysis

Vulnerability Ratings#

5.1

CVSSv4

6.1

CVSSv31

NaN

other

Others affected components#

Name

Project

Project Version

Version

Status

yocto

master

1.96.0

Not Affected

yocto

scarthgap

1.75.0

Not Affected