This vulnerability (CWE-79) affects the Mediawiki Cargo Extension before version 3.8.7 and arises from improper input neutralization during web page generation, enabling cross-site scripting attacks targeting non-script elements. The CVSS 4.0 base score is 5.1, indicating medium severity with network attack vector, low attack complexity, and requiring user interaction and low privileges. The vulnerability is published and assigned by the Wikimedia Foundation but lacks an official remediation level or patch link at this time.

Successful exploitation could allow an attacker to execute cross-site scripting attacks within the context of the affected Mediawiki Cargo Extension, potentially leading to unauthorized actions performed by users or disclosure of sensitive information accessible to the victim. However, the impact is limited by the need for user interaction and low privileges, and no known exploits are currently reported.

Patch status is not yet confirmed — check the Wikimedia Foundation advisory for current remediation guidance. Until an official fix is released, users should consider applying any available updates to Mediawiki Cargo Extension beyond version 3.8.7 once published. Monitoring official vendor channels for updates is recommended.