CVE-2026-30917 HIGH

CVE-2026-30917: Stored XSS on Bucket namespace pages

Vendor Weirdgloop

Product mediawiki-extensions-Bucket

Weakness CWE-79 · XSS

Published March 9, 2026

Last update March 10, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed in 2.1.1.

Key dates

02Disclosure timeline

March 9, 2026 CVE published

March 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-30917

Related vulnerabilities

04Related CVE

CVE-2025-32536 WordPress HTML5 Video Player with Playlist Plugin <= 2.50 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-23921 Moodle: reflected xss risk in some returnurl parameters CVE-2022-3123 Cross-site Scripting (XSS) - Reflected in splitbrain/dokuwiki CVE-2026-45479 Microsoft SharePoint Server Spoofing Vulnerability CVE-2026-5508 WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes