Multiple MediaWiki and Extension Vulnerabilities Expose Sites to XSS Risks
dCERT issued an advisory for multiple vulnerabilities in MediaWiki, followed by a second advisory covering multiple vulnerabilities in MediaWiki extensions that allow cross-site scripting (XSS). The notices indicate that organizations running MediaWiki-based platforms may be exposed through flaws in both the core software and its extension ecosystem.
The combined advisories point to a broader security issue for MediaWiki deployments, where weaknesses in core components and add-on extensions can increase the risk of malicious script injection and related compromise of user sessions or administrative actions. Organizations using MediaWiki should review affected versions, assess installed extensions, and apply vendor fixes or mitigations as they become available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
dCERT publishes MediaWiki Extensions XSS vulnerabilities advisory
dCERT published advisory 2026-1023 describing multiple vulnerabilities in MediaWiki Extensions that allow cross-site scripting. The reference does not provide further details on affected extensions, patches, or exploitation.
dCERT publishes MediaWiki multiple vulnerabilities advisory
dCERT published advisory 2026-0928 covering multiple vulnerabilities affecting MediaWiki. No additional technical details or remediation timeline are provided in the reference content.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Vulnerabilities Disclosed in Checkmk, Including Cross-Site Scripting Flaws
German authorities published two security advisories for **Checkmk** covering multiple vulnerabilities, including flaws that could enable **cross-site scripting (XSS)**. One advisory specifically identifies several XSS issues in the IT infrastructure and monitoring platform, while a later advisory broadens the scope to additional unspecified vulnerabilities affecting Checkmk. The disclosures indicate that organizations using Checkmk should review vendor guidance and available patches promptly, as the vulnerabilities may expose monitoring environments to client-side code execution and other security risks. The advisories were issued by **dCERT** under identifiers `2026-0909` and `2026-0965`, signaling an ongoing vulnerability response affecting the product.
Apr 10, 2026
TinyMCE patches stored XSS flaws in editor sanitizer and media plugin
TinyMCE has patched multiple cross-site scripting vulnerabilities in its widely deployed rich text editor, including stored and sanitization-related flaws tracked as `CVE-2026-47759`, `CVE-2026-47760`, `CVE-2026-47761`, and `CVE-2026-47762`. The issues could let remote attackers inject malicious JavaScript into web content and compromise active user sessions when affected content is viewed. Reported weaknesses include improper namespace scope handling in the core sanitizer, bypasses involving prefixed attributes and comment handling, and a flaw in the media plugin. The media plugin issue, `CVE-2026-47761`, stems from TinyMCE serializing rich-media elements into placeholder images while preserving raw properties in `data-mce-*` HTML attributes. Because many downstream filters permit arbitrary `data-*` attributes, malicious payloads can survive sanitization, be stored persistently, and later be deserialized into active DOM elements without sufficient validation, triggering script execution in users' browsers. TinyMCE said fixes are available in supported branches and advised customers to upgrade to version `7.9.3` or later or `8.5.1`, while version 5 commercial users may require long-term support updates.
Jun 10, 2026
Drupal and TYPO3 Core Flaws Prompt CMS Security Advisories
Security advisories were issued for **multiple vulnerabilities in Drupal Core** and for a **TYPO3 Core information disclosure flaw**, highlighting fresh risk in widely deployed content management systems. The Drupal notice identifies several unresolved security issues in the core platform, while the TYPO3 advisory warns that a vulnerability could expose sensitive information to unauthorized parties. Organizations running either CMS are likely to review affected versions, assess exposure of internet-facing instances, and prioritize vendor guidance for patching or mitigation. The disclosures underscore the operational risk of unremediated core-platform weaknesses in web publishing environments, where vulnerabilities can affect confidentiality and potentially broaden the attack surface for follow-on compromise.
Apr 21, 2026