This vulnerability in Mediawiki's Cargo Extension allows stored XSS due to improper sanitization of script-related HTML tags. Attackers with low privileges and requiring user interaction can inject malicious scripts that execute in the context of other users viewing the affected pages. The issue affects versions prior to 3.8.7. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and high scope and impact on integrity and availability.

Successful exploitation could allow an attacker to execute arbitrary scripts in the browsers of users viewing the affected pages, potentially leading to session hijacking, defacement, or other script-based attacks. However, the attack requires user interaction and low privileges, limiting the ease of exploitation. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided, users should monitor Wikimedia Foundation advisories for updates. Until a fix is available, consider restricting user input that can include script-related HTML tags or applying custom sanitization as a temporary mitigation.