CVE-2026-39837 describes a stored cross-site scripting (XSS) vulnerability in the Mediawiki Cargo Extension maintained by the Wikimedia Foundation. The vulnerability is due to improper neutralization of script-related HTML tags in web pages generated by the extension, allowing an attacker to inject malicious scripts that persist and execute in users' browsers. This affects versions before 3.8.7. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and high scope and impact on integrity and availability. No official patch or remediation guidance is currently available from the vendor, and no exploits have been observed in the wild.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected Mediawiki instance, potentially leading to session hijacking, defacement, or other malicious actions within the scope of the user’s browser session. The impact is limited to the integrity and availability of the affected system as indicated by the CVSS vector. Since no known exploits are reported, the immediate risk appears moderate.

Patch status is not yet confirmed — check the Wikimedia Foundation advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting user input that can include script-related HTML tags or apply custom filtering to mitigate stored XSS risks. Monitor official Wikimedia Foundation channels for updates regarding patches or official mitigations.