CVE-2025-32077
Description
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Extension:SimpleCalendar allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Extension:SimpleCalendar: from 1.39 through 1.43.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in MediaWiki SimpleCalendar extension allows stored XSS via crafted calendar parameters, affecting versions 1.39 to 1.43.
The SimpleCalendar extension for MediaWiki fails to properly sanitize user-supplied values in the dayformat and title parameters of the #calendar parser function. This improper input validation allows an attacker to inject arbitrary HTML and JavaScript, leading to cross-site scripting (XSS) vulnerabilities [1].
An attacker can exploit the dayformat parameter by saving a page with {{#calendar: month=01 | dayformat=\m\e\o\w}} and then editing the system messages "january" or "meow" to include malicious script, or by using uselang=x-xss to trigger the payload. Alternatively, the title parameter can be directly abused with a value like > to execute JavaScript when the page is viewed [1].
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to account takeover, theft of sensitive data, or defacement of the wiki. The vulnerability affects SimpleCalendar versions from 1.39 through 1.43 [1].
Patches have been committed to the extension's repository for branches REL1_39, REL1_42, REL1_43, and master. Users are strongly advised to update to the latest patched version to mitigate the risk [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.