{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30917", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.884Z", "datePublished": "2026-03-09T22:50:20.879Z", "dateUpdated": "2026-03-10T13:52:52.786Z"}, "containers": {"cna": {"title": "Stored XSS on Bucket namespace pages", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/security/advisories/GHSA-8jrp-37wc-5v7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/security/advisories/GHSA-8jrp-37wc-5v7c"}, {"name": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/46ec08876ba9064987f20e8f42690854202a73ff", "tags": ["x_refsource_MISC"], "url": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/46ec08876ba9064987f20e8f42690854202a73ff"}, {"name": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/cba9cf9c8751e9f3e6d559f44cadc39b84f7bff6", "tags": ["x_refsource_MISC"], "url": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/cba9cf9c8751e9f3e6d559f44cadc39b84f7bff6"}], "affected": [{"vendor": "weirdgloop", "product": "mediawiki-extensions-Bucket", "versions": [{"version": "< 2.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:50:20.879Z"}, "descriptions": [{"lang": "en", "value": "Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed in 2.1.1."}], "source": {"advisory": "GHSA-8jrp-37wc-5v7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:52:45.646494Z", "id": "CVE-2026-30917", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:52:52.786Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30917", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:52:45.646494Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:52:49.182Z"}}], "cna": {"title": "Stored XSS on Bucket namespace pages", "source": {"advisory": "GHSA-8jrp-37wc-5v7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "weirdgloop", "product": "mediawiki-extensions-Bucket", "versions": [{"status": "affected", "version": "< 2.1.1"}]}], "references": [{"url": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/security/advisories/GHSA-8jrp-37wc-5v7c", "name": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/security/advisories/GHSA-8jrp-37wc-5v7c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/46ec08876ba9064987f20e8f42690854202a73ff", "name": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/46ec08876ba9064987f20e8f42690854202a73ff", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/cba9cf9c8751e9f3e6d559f44cadc39b84f7bff6", "name": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/cba9cf9c8751e9f3e6d559f44cadc39b84f7bff6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed in 2.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:50:20.879Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30917", "state": "PUBLISHED", "dateUpdated": "2026-03-10T13:52:52.786Z", "dateReserved": "2026-03-07T16:40:05.884Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T22:50:20.879Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed in 2.1.1."}, {"lang": "es", "value": "Bucket es una extensi\u00f3n de MediaWiki para almacenar y recuperar datos estructurados en art\u00edculos. Antes de 2.1.1, un XSS almacenado puede insertarse en cualquier campo de tabla de Bucket que tenga un tipo PAGE, el cual se ejecutar\u00e1 cada vez que un usuario vea la p\u00e1gina de espacio de nombres de Bucket correspondiente a esa tabla. Esta vulnerabilidad est\u00e1 corregida en 2.1.1."}], "id": "CVE-2026-30917", "lastModified": "2026-04-16T14:45:19.723", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T17:40:15.517", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/46ec08876ba9064987f20e8f42690854202a73ff"}, {"source": "security-advisories@github.com", "url": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/cba9cf9c8751e9f3e6d559f44cadc39b84f7bff6"}, {"source": "security-advisories@github.com", "url": "https://github.com/weirdgloop/mediawiki-extensions-Bucket/security/advisories/GHSA-8jrp-37wc-5v7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mediawiki-extensions-Bucket", "source": "cna", "vendor": "weirdgloop"}, "product": "mediawiki-extensions-bucket", "vendor": "weirdgloop"}], "analysis": {"en": {"generated_at": "2026-04-18T09:39:18.678000+00:00", "value": {"mitigation_remediation": ["Upgrade the Bucket extension to version\u202f2.1.1 or newer.", "If an upgrade is not immediately possible, revoke write permissions on Bucket tables for users with editor or lower privileges to stop malicious content insertion.", "Add an input\u2011validation or sanitization layer on writes to Bucket namespace pages so that script code is not stored or rendered."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All builds of the MediaWiki extension named Bucket distributed by the vendor weirdgloop are affected if the version is older than 2.1.1. Versions 2.1.1 and later incorporate the fix and are considered safe.", "description_and_impact": "The Bucket extension for MediaWiki, prior to version\u202f2.1.1, contains a stored cross\u2011site scripting flaw. A malicious actor can insert arbitrary JavaScript into any table field labeled as PAGE, and the script will run whenever a user views the corresponding namespace page. The weakness is a classic stored XSS, classified as CWE\u201179, and may allow victim browsers to execute code supplied by the attacker.", "risk_and_exploitability": "The CVSS base score of 8.8 indicates high severity, while the EPSS score of less than\u202f1\u202fpercent suggests a low likelihood of exploitation at present. The vulnerability is not included in the CISA KEV catalog. Exploitation requires an attacker to write data to a PAGE\u2011type field. The description does not specify required privileges; it is inferred that such writes may require editor or higher access. After the payload is stored, any user who visits the affected namespace page will have the script executed."}}}}, "created": "2026-03-10T14:06:27.119020+00:00", "updated": "2026-04-18T09:45:25.835459+00:00", "vendors": ["weirdgloop", "weirdgloop$PRODUCT$mediawiki-extensions-bucket"]}