The RenderBlocking extension for MediaWiki, developed by lihaohong6, enables interface administrators to specify CSS and JavaScript that block rendering. Versions prior to 0.1.1 contain a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-30977 (CWE-79). This vulnerability occurs specifically when the configuration variable $wgRenderBlockingInlineAssets is set to true, allowing inline assets mode. Exploitation requires the attacker to have editsitecss user rights, which are typically granted to trusted users with the ability to edit site-wide CSS. Under these conditions, an attacker can inject malicious JavaScript code into the renderblocking-css component, which is then stored and executed in the browsers of users who view the affected pages. The vulnerability impacts confidentiality and integrity by enabling script execution in the context of the MediaWiki site, potentially leading to session hijacking or unauthorized actions. However, the attack surface is limited by the need for high privileges and user interaction. The issue was publicly disclosed on March 10, 2026, and fixed in RenderBlocking version 0.1.1. No public exploits have been reported to date.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can lead to session hijacking, unauthorized actions on behalf of users, or defacement of the MediaWiki site. Since exploitation requires editsitecss rights, the risk is limited to environments where such privileges are granted to potentially untrusted users or where privilege escalation is possible. Organizations using vulnerable versions may face risks to the integrity and confidentiality of their MediaWiki installations, especially if the wiki is used for sensitive or internal information sharing. The availability impact is minimal as the vulnerability does not directly cause denial of service. Given the limited exploitability and requirement for high privileges, the overall risk to large organizations is low but non-negligible in environments with lax user privilege controls.

To mitigate this vulnerability, organizations should upgrade the RenderBlocking extension to version 0.1.1 or later, where the issue is fixed. Additionally, review and restrict editsitecss user rights to only trusted administrators to minimize the risk of malicious code injection. Implement strict content security policies (CSP) to limit the execution of unauthorized scripts within the MediaWiki environment. Regularly audit user permissions and monitor for unusual edits to site-wide CSS or JavaScript. Employ web application firewalls (WAFs) that can detect and block XSS payloads. Finally, educate administrators about the risks of granting elevated privileges and the importance of applying security patches promptly.