Medium severityNVD Advisory· Published Oct 18, 2025· Updated Apr 15, 2026

CVE-2025-62671

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: master.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in MediaWiki Cargo Extension allows attackers to inject malicious HTML into table fields via wikitext, leading to cross-site scripting.

Vulnerability

Overview

The Cargo extension for MediaWiki is vulnerable to a stored cross-site scripting (XSS) flaw due to improper neutralization of user-supplied input when rendering filter values on the Drilldown page [1]. The root cause is that the printFilterValue() function in CargoDrilldownPage.php returns the raw filter value without escaping HTML special characters [3]. This string is subsequently passed through multiple functions and ultimately inserted into the page's HTML, allowing arbitrary script execution [3].

Exploitation

An attacker can exploit this by creating a template that declares a Cargo table and stores user-controlled data via the #cargo_store parser function [3]. By including malicious wikitext containing an HTML `` tag as the payload, the injected script is stored in the Cargo table. When a victim visits the Special:Drilldown page for that table, the unescaped filter value is rendered, causing the script to execute in the victim's browser [3]. No special privileges beyond the ability to edit pages with Cargo templates are required.

Impact

Successful exploitation results in stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of any user viewing the affected Drilldown page. This can lead to session hijacking, defacement, or theft of sensitive information. The vulnerability affects the master branch of the Cargo extension [1].

Mitigation

The issue has been fixed in commit e509156, which applies htmlspecialchars() with ENT_QUOTES to the filter value before output [4]. Users are strongly advised to update their Cargo extension to the latest version that includes this security patch. No workarounds have been documented.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mediawiki/cargoPackagist	< 3.8.3	3.8.3

Affected products

Wikimedia Foundation/Mediawiki CSS Extensionllm-fuzzy
Range: = master

Patches

e50915626c0d

SECURITY: Escape filter values

https://github.com/wikimedia/mediawiki-extensions-CargoSomeRandomDeveloperAug 17, 2025via ghsa

commit

1 file changed · +1 −1

drilldown/CargoDrilldownPage.php+1 −1 modified

@@ -347,7 +347,7 @@ public function printFilterValue( $filter, $value ) {
 			preg_match( "/^~within_(.+)/", $value, $matches );
 			return $this->msg( 'cargo-drilldown-hierarchy-within', $matches[1] )->parse();
 		} else {
-			return $value;
+			return htmlspecialchars( $value, ENT_QUOTES );
 		}
 	}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gr6v-3pmp-996pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62671ghsaADVISORY
gerrit.wikimedia.org/r/1179707nvdWEB
github.com/wikimedia/mediawiki-extensions-Cargo/commit/e50915626c0d9a7b222dabc94ddfcb516caf557dghsaWEB
phabricator.wikimedia.org/T402147nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000