CVE-2026-0670 identifies a Cross-Site Scripting (XSS) vulnerability classified under CWE-79 in the ProofreadPage extension of the MediaWiki platform maintained by the Wikimedia Foundation. The vulnerability affects versions 1.39, 1.43, 1.44, and 1.45 of the extension. It stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code. When a victim user views a crafted page, the injected script executes within their browser context, potentially compromising session tokens, cookies, or enabling actions on behalf of the user. The CVSS 3.1 base score is 6.1 (medium), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction. The scope is changed, indicating the vulnerability affects components beyond the initially vulnerable extension, potentially impacting the entire MediaWiki instance. No public exploits or patches are currently documented, indicating the vulnerability is newly disclosed. The ProofreadPage extension is commonly used in environments requiring collaborative proofreading and digitization workflows, making it a target for attackers aiming to compromise user sessions or inject misleading content. The vulnerability does not affect availability but impacts confidentiality and integrity to a limited extent.

For European organizations, especially those using MediaWiki with the ProofreadPage extension in sectors such as education, cultural heritage, government, and research, this vulnerability poses a risk of session hijacking, unauthorized actions, and misinformation through content manipulation. Attackers could exploit this to steal user credentials or impersonate users, potentially leading to unauthorized access to sensitive information or disruption of collaborative workflows. Although the impact on availability is negligible, the breach of confidentiality and integrity could undermine trust in publicly accessible or internal knowledge bases. The requirement for user interaction limits mass exploitation but targeted phishing or social engineering campaigns could increase risk. Organizations relying heavily on MediaWiki for documentation or digital archiving should consider this vulnerability a moderate threat to their operational security and data integrity.

Organizations should monitor for official patches or updates from the Wikimedia Foundation and apply them promptly once available. In the interim, administrators should implement strict input validation and output encoding on all user-supplied content within the ProofreadPage extension. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Disabling or restricting the use of the ProofreadPage extension temporarily may be considered if patching is delayed and risk is high. User awareness training to recognize phishing attempts that could trigger malicious links is advisable. Regular security audits and penetration testing focusing on web application vulnerabilities can help identify similar issues proactively. Additionally, configuring MediaWiki to use secure cookies and enforcing HTTPS can reduce session hijacking risks.