CVE-2026-30977 LOW

CVE-2026-30977: RenderBlocking has Stored XSS in renderblocking-css with Inline Assets mode

Vendor Lihaohong6

Product RenderBlocking

Weakness CWE-79 · XSS

Published March 10, 2026

Last update March 11, 2026

View on NVD All CVEs

CVSS base score

2.0/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This vulnerability is fixed in 0.1.1.

Key dates

02Disclosure timeline

March 10, 2026 CVE published

March 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-30977 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-30977: RenderBlocking has Stored XSS in renderblocking-css with Inline Assets mode

01Description

02Disclosure timeline

03References

04Related CVE