CVE-2026-58519

MEDIUM

The Wikimedia Foundation Mediawiki - Cargo Extension - Stored XSS Through Cargo's Map Format

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-58519. PoCs published by HermesNA-1.

AI-analyzed exploit summary This repository contains an auto-generated stub module for CVE-2026-58519, a stored XSS vulnerability in the Wikimedia Foundation MediaWiki Cargo Extension. The code includes placeholder logic for target probing but lacks actual exploit implementation for the XSS vulnerability.

Description

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS. This issue affects Mediawiki - Cargo Extension: from * before 3.9.1.

Exploits (1)

github STUB 1 stars
by HermesNA-1 · pythonpoc
https://github.com/HermesNA-1/SnakeSploit/tree/main/data/modules_generated/cve-2026-58519_improper_neutralization_input.py

This repository contains an auto-generated stub module for CVE-2026-58519, a stored XSS vulnerability in the Wikimedia Foundation MediaWiki Cargo Extension. The code includes placeholder logic for target probing but lacks actual exploit implementation for the XSS vulnerability.

Classification
Stub 99%
Attack Type
Xss
Complexity
Moderate
Reliability
Theoretical
Target: MediaWiki Cargo Extension (Wikimedia Foundation)
No auth needed
Prerequisites: Access to a vulnerable MediaWiki instance with the Cargo Extension installed · Ability to submit crafted input to trigger XSS
mistral-large-3 · analyzed Jul 09, 2026 Full analysis →

Scores

CVSS v3 5.4
EPSS 0.0013
EPSS Percentile 3.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
mediawiki/cargo < 3.9.1
The Wikimedia Foundation/Mediawiki - Cargo Extension < 3.9.1
Published Jul 01, 2026
Tracked Since Jul 01, 2026