This vulnerability in the Wikimedia Foundation's Mediawiki Cargo Extension (prior to version 3.8.7) is classified as CWE-80, indicating improper neutralization of script-related HTML tags leading to stored XSS. An attacker could inject malicious scripts that are stored and later executed in the context of users viewing affected pages. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required but user interaction needed, and high scope and impact on confidentiality, integrity, and availability. No vendor advisory or patch information is currently available, and the vulnerability is not related to a cloud service.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of users viewing the affected Mediawiki pages, potentially leading to session hijacking, defacement, or other malicious actions. The impact affects confidentiality, integrity, and availability with high scope, but requires user interaction and low privileges to exploit. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting or sanitizing user input that can be stored and rendered by the Cargo Extension. Monitor official Wikimedia Foundation channels for updates and apply updates promptly once available.