CVE-2026-39837

Description

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

References

• https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237979
• https://phabricator.wikimedia.org/T416402