CVE-2026-34095

Vulnerability

Overview

CVE-2026-34095 is a content-type mismatch vulnerability in MediaWiki. When using the action=raw parameter with a subpage title under Special:Mypage and requesting ctype=text/javascript, the response incorrectly sets the Content-Type header to text/html instead of text/javascript [1]. This behavior originates in the includes/Actions/ActionEntryPoint.php and includes/Request/FauxResponse.php files.

Exploitation

An attacker can craft a URL that triggers this behavior, causing the browser to interpret the response as HTML. If the response contains user-controlled content (e.g., via page content or parameters), this could lead to cross-site scripting (XSS) attacks. No authentication is required to trigger the issue, as action=raw is accessible to unauthenticated users.

Impact

Successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to data theft, session hijacking, or defacement. The CVSS v3 base score of 6.1 (Medium) reflects the need for user interaction and the limited scope of affected responses.

Mitigation

The vulnerability is fixed in MediaWiki versions 1.43.7, 1.44.4, and 1.45.2 [1]. Users should upgrade to these or later versions. No workarounds are documented; restricting access to action=raw may reduce risk but is not a complete solution.