CVE-2026-22714

Vulnerability

Overview

CVE-2026-22714 is a stored or reflected cross-site scripting (XSS) vulnerability in the Monaco skin for MediaWiki. The issue arises from improper neutralization of user-supplied input in three template functions: monaco-footer-improve-linktext, monaco-view-history, and permalink [1]. These functions fail to sanitize or escape output, allowing an attacker to inject arbitrary HTML and JavaScript.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious payload that is processed by one of the affected template functions. For example, by manipulating the monaco-footer-improve-linktext parameter, the injected script will be rendered in the context of the wiki page. No special privileges are required; any user who can interact with the affected input fields can trigger the XSS. The attack can be performed remotely without authentication if the input is reflected from a URL parameter.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user viewing the affected page. This can lead to session hijacking, defacement, or theft of sensitive data. The vulnerability affects MediaWiki versions 1.39, 1.43, 1.44, and 1.45 when using the Monaco skin.

Mitigation

The Wikimedia Foundation has addressed this issue in a security update. Users are advised to upgrade to a patched version of the Monaco skin or apply the fix referenced in the Phabricator task [1]. As of the publication date, no workaround is available other than disabling the skin.