CVE-2026-30917 is a stored Cross-site Scripting (XSS) vulnerability identified in the weirdgloop MediaWiki extension named Bucket, which is designed to store and retrieve structured data on articles. The vulnerability exists in all versions prior to 2.1.1 and is caused by improper neutralization of input during web page generation, classified under CWE-79. Specifically, an attacker can inject malicious JavaScript payloads into any Bucket table field that is of PAGE type. When a user views the Bucket namespace page corresponding to the affected table, the injected script executes in the context of the victim's browser. This stored XSS does not require any authentication or user interaction, making it remotely exploitable over the network. The vulnerability can lead to session hijacking, credential theft, defacement, or further exploitation of the victim's environment. The CVSS 4.0 base score is 8.8, reflecting its high severity, with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H), with lower impacts on integrity and availability. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to any MediaWiki instance using the Bucket extension before version 2.1.1. The issue was publicly disclosed on March 9, 2026, and fixed in version 2.1.1. The lack of patch links in the provided data suggests users should obtain updates directly from the official weirdgloop or MediaWiki extension repositories. The vulnerability's exploitation could compromise the confidentiality and integrity of data managed within MediaWiki platforms, potentially affecting organizational knowledge bases and collaborative workflows.

The impact of CVE-2026-30917 is substantial for organizations using MediaWiki with the Bucket extension, especially versions prior to 2.1.1. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of users viewing the affected pages, leading to session hijacking, theft of sensitive information such as credentials or tokens, unauthorized actions performed on behalf of users, and potential spread of malware. This can undermine the confidentiality and integrity of organizational data and disrupt availability if attackers deface or manipulate content. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk of widespread compromise. Organizations relying on MediaWiki for internal documentation, knowledge sharing, or public-facing content management are particularly vulnerable. The attack surface includes all users who access the Bucket namespace pages, potentially including administrators and privileged users, which could escalate the severity of the breach. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as public disclosure often leads to rapid development of exploit code. Failure to remediate promptly could result in data breaches, reputational damage, and regulatory consequences, especially for entities handling sensitive or regulated information.

To mitigate CVE-2026-30917, organizations should immediately upgrade the weirdgloop MediaWiki extension Bucket to version 2.1.1 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement strict input validation and output encoding on all Bucket table fields of PAGE type to neutralize potentially malicious scripts. Restrict access to Bucket namespace pages to trusted users only, employing role-based access controls and network segmentation to limit exposure. Employ Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting the sources from which scripts can be loaded and executed. Regularly audit MediaWiki extensions and configurations for security compliance and monitor logs for unusual activity indicative of exploitation attempts. Educate users about the risks of XSS and encourage cautious behavior when interacting with MediaWiki content. Finally, maintain an up-to-date inventory of MediaWiki extensions and versions deployed to ensure timely application of security patches and updates.