vulnerability
MediaWiki: CVE-2021-41798: Improper Neutralization of Input During Web Page Generation
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | Oct 11, 2021 | Nov 26, 2021 | May 6, 2026 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Oct 11, 2021
Added
Nov 26, 2021
Modified
May 6, 2026
Description
MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.
Solution
mediawiki-upgrade-latest
References
- CVE-2021-41798
- https://attackerkb.com/topics/CVE-2021-41798
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/
- https://phabricator.wikimedia.org/T285515
- https://security.gentoo.org/glsa/202305-24
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-28806
- CWE-79
- EUVD-EUVD-2021-28806
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.