CVE-2026-0669
📋 TL;DR
This path traversal vulnerability in MediaWiki's CSS extension allows attackers to read arbitrary files on the server by manipulating file paths. It affects MediaWiki installations using the CSS extension versions 1.39 through 1.44. Attackers could potentially access sensitive configuration files or source code.
💻 Affected Systems
- Wikimedia Foundation MediaWiki - CSS extension
📦 What is this software?
Css by Css Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like configuration files containing database credentials, SSH keys, or other secrets that could lead to further exploitation.
Likely Case
Information disclosure of sensitive files, potentially exposing configuration data, user information, or source code that could enable further attacks.
If Mitigated
Limited file access restricted by server permissions, potentially only reading publicly accessible files or encountering permission errors.
🎯 Exploit Status
Path traversal vulnerabilities typically require minimal technical skill to exploit once the vulnerability details are understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.44.1, 1.43.2, 1.39.8 or later
Vendor Advisory: https://phabricator.wikimedia.org/T401526
Restart Required: No
Instructions:
1. Update MediaWiki to patched version (1.44.1, 1.43.2, or 1.39.8+). 2. Update CSS extension if installed separately. 3. Clear caches if applicable. 4. Verify the fix by testing the previously vulnerable functionality.
🔧 Temporary Workarounds
Disable CSS Extension
allTemporarily disable the vulnerable CSS extension until patching is possible
Edit LocalSettings.php and remove or comment out: wfLoadExtension('CSS');
Web Server Path Restrictions
linuxConfigure web server to block path traversal attempts at the web server level
For Apache: Set 'AllowOverride None' in directory configuration
For Nginx: Add location blocks to restrict file access patterns
🧯 If You Can't Patch
- Implement strict web application firewall (WAF) rules to block path traversal patterns
- Restrict file system permissions to limit what files the web server user can read
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and CSS extension status. If running affected versions (1.39, 1.43, 1.44) with CSS extension enabled, assume vulnerable.Check Version:
Check LocalSettings.php for $wgVersion or view Special:Version page in MediaWiki interfaceVerify Fix Applied:
After updating, verify version is 1.44.1, 1.43.2, or 1.39.8+. Test the CSS functionality that was vulnerable to confirm path traversal is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in web server logs (e.g., '../' sequences)
- Failed file access attempts to sensitive paths
- CSS extension errors with unusual parameters
Network Indicators:
- HTTP requests containing '../' or similar path traversal sequences to CSS-related endpoints
SIEM Query:
web_access_logs WHERE url CONTAINS '../' AND url CONTAINS 'CSS' OR url CONTAINS 'index.php?title='