Create Task
Maniphest T416389

CVE-2026-39841: Stored XSS through list fields on Cargo's page values and Special:CargoTables
Closed, ResolvedPublicSecurity
Actions

Description

Through storing arbitrary HTML to a Cargo table's list field, it is possible to achieve a stored XSS on Special:CargoTables and action=pagevalues.

Reproduction steps

  1. Create Template:XSS with the following contents:
{{#cargo_declare:_table=ListXss
|Items=List (,) of String
}}
{{#cargo_store:_table=ListXss
|Items=<script>alert('xss')</script>
}}
  1. Create the table for Template:XSS
  2. Null-edit Template:XSS to insert the row
  3. Go to Special:CargoTables/XSS or Template:XSS?action=pagevalues
  4. An alert box is displayed on page load.

Cause

In CargoQueryDisplayer, combined list field values are entity-decoded in case the item delimiter could be affected. However, the individual items that are being formatted do not get encoded, and non-Wikitext field types do not run through the wikitext parser.

Additional information

Cargo 3.8.6 (e89d34e)

Details

Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Properly handle escaping of list field itemsmediawiki/extensions/Cargomaster+4 -2
Customize query in gerrit

Related Objects

Event Timeline

Alex44019 created this task.Feb 3 2026, 7:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 3 2026, 7:01 PM
Alex44019 claimed this task.Feb 3 2026, 7:02 PM
Alex44019 added projects: MediaWiki-extensions-Cargo, Vuln-XSS, affects-Miraheze.
Alex44019 added a subscriber: Yaron_Koren.
Alex44019 added a comment.Feb 3 2026, 7:05 PM

T416389.patch1 KBDownload

Yaron_Koren added subscribers: JeffreyWang, RheingoldRiver, SomeRandomDeveloper.Feb 3 2026, 8:11 PM
SomeRandomDeveloper added a project: Patch-For-Review.Feb 3 2026, 8:19 PM
SomeRandomDeveloper mentioned this in T411394: Write and send supplementary release announcement for extensions and skins with security patches (1.43.7/1.44.4/1.45.2).
Alex44019 updated the task description. (Show Details)Feb 3 2026, 9:02 PM
Alex44019 updated the task description. (Show Details)
SomeRandomDeveloper added a subscriber: cicalese.Feb 8 2026, 10:44 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Feb 9 2026, 5:22 PM
sbassett subscribed.

Happy to include this in the next supplemental security release once the patch is reviewed/merged.

SomeRandomDeveloper added a subscriber: gerritbot.Feb 9 2026, 6:13 PM
gerritbot added a comment.Feb 9 2026, 6:15 PM

Change #1237973 had a related patch set uploaded (by Alex44019; author: Alex44019):

[mediawiki/extensions/Cargo@master] SECURITY: Properly handle escaping of list field items

https://gerrit.wikimedia.org/r/1237973

gerritbot added a comment.Feb 9 2026, 9:29 PM

Change #1237973 merged by jenkins-bot:

[mediawiki/extensions/Cargo@master] SECURITY: Properly handle escaping of list field items

https://gerrit.wikimedia.org/r/1237973

Alex44019 removed a project: Patch-For-Review.Feb 9 2026, 10:54 PM
Yaron_Koren closed this task as Resolved.Mar 4 2026, 3:34 PM
ASanford-WMF renamed this task from Stored XSS through list fields on Cargo's page values and Special:CargoTables to CVE-2026-39841: Stored XSS through list fields on Cargo's page values and Special:CargoTables.Apr 7 2026, 8:05 PM
ASanford-WMF changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 7 2026, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits