Greetings-
With the security/maintenance release of MediaWiki 1.43.7/1.44.4/1.45.2, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
ReportIncident + (T414582, CVE-2026-5762) - ReportIncident DiscussionTools integration causes slow requests with occasional timeouts on large talk pages https://gerrit.wikimedia.org/r/q/I05d7f65c57d9aa1b70cdb159c4291ac28c60b4dd
ProofreadPage + (T406088, CVE-2026-39838) - ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS https://gerrit.wikimedia.org/r/q/Idd51e18479b32b7176b43ff74ca1c49d6bdd0628
Cargo + (T416271, CVE-2026-39839) - Stored XSS through URLs in Cargo's map format https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237957 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237977
Cargo + (T416368, CVE-2026-39840) - CSS injection in multiple Cargo display formats https://gerrit.wikimedia.org/r/c/1237966
Cargo + (T416389, CVE-2026-39841) - Stored XSS through list fields on Cargo's page values and Special:CargoTables https://gerrit.wikimedia.org/r/c/1237973
Cargo + (T416402, CVE-2026-39837) - Stored XSS through the dynamic table format in Cargo https://gerrit.wikimedia.org/r/c/1237979
WikiLove +(T416502, CVE-2026-22711) - Stored XSS through system messages in WikiLove https://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3
CentralAuth +(T418122, CVE-2026-39937) - Global vanishing does not completely remove user email https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e
GlobalWatchlist +(T418179, CVE-2026-39933) - Multiple XSS vulnerabilities in GlobalWatchlist https://gerrit.wikimedia.org/r/q/I1fc7b7e1d234b0aaf9f7d782a65da1451577587e
GrowthExperiments +(T418222, CVE-2026-39934) - ReassignMenteesJob runs as an infinite loop https://gerrit.wikimedia.org/r/c/1243874
CampaignEvents +(T418254, CVE-2026-39935) - Stored XSS through system messages https://gerrit.wikimedia.org/r/c/1249320
Score +(T419186, CVE-2026-39936) - Stored XSS due to usage of non-reserved data attributes https://gerrit.wikimedia.org/r/q/I1fb2913bc32328cbc4ecd4b4ad4a4788fb98c56c
RenderBlocking +(GHSA-4h5r-8rjm-496r, CVE-2026-30977) - Stored XSS in renderblocking-css with Inline Assets mode https://github.com/lihaohong6/RenderBlocking/commit/096fc47dad9dca153b02cba3...
The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3]. CVE JSON references can be found on Gitlab [4].
[1] https://phabricator.wikimedia.org/T411394 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs [4] https://gitlab.wikimedia.org/repos/security/wikimedia-cve-assignments
mediawiki-l@lists.wikimedia.org