mediawiki

431 tracked vulnerabilities.

CVE-2026-34095 MEDIUM
action=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript request
May 11, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34094 LOW
Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix
May 11, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-34093 MEDIUM
Special:UserRights allows viewing user rights from private wiki
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34092 HIGH
Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP
May 11, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34091 HIGH
Wikimedia Foundation MediaWiki - User Localization Leaked by AbuseFilter + EventStream
May 11, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34090 HIGH
Suggested investigations: Handle suppressed usernames
May 11, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34088 HIGH
RecentChanges entries expose suppressed content via generated log page html
May 11, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34087 HIGH
Users API leaks whether privileged users have their user groups disabled for lack of 2FA
May 11, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39841 MEDIUM
Stored XSS through list fields on Cargo's page values and Special:CargoTables
Apr 07, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-39840 MEDIUM
CSS injection in multiple Cargo display formats
Apr 07, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-39839 MEDIUM
Stored XSS through URLs in Cargo's map format
Apr 07, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-39837 MEDIUM
Stored XSS through the dynamic table format in Cargo
Apr 07, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-67484 CRITICAL
MediaWiki <1.39.16, 1.43.6, 1.44.3, 1.45.1 - Info Disclosure
Feb 03, 2026
CVSS 9.8
EPSS 0.00
CVE-2025-67483 MEDIUM
MediaWiki < 1.43.6, 1.44.3, 1.45.1 - Cross-Site Scripting in Page Preview
Feb 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-67481 MEDIUM
MediaWiki < 1.39.16, 1.43.6, 1.44.3, 1.45.1 - Cross-Site Scripting in mediawiki.JqueryMsg.Js
Feb 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-67480 MEDIUM
MediaWiki <1.39.16, 1.43.6, 1.44.3, 1.45.1 - Info Disclosure
Feb 03, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-67478 HIGH
Wikimedia Foundation CheckUser <1.39.14-1.44.1 - Info Disclosure
Feb 03, 2026
CVSS 8.8
EPSS 0.00
CVE-2025-67477 MEDIUM
MediaWiki < 1.44.3, 1.45.1 - Cross-Site Scripting in ApiSandboxLayout.Js
Feb 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-67476 MEDIUM
MediaWiki <1.44.3, 1.45.1 - Code Injection
Feb 03, 2026
CVSS 4.3
EPSS 0.00
CVE-2025-67475 MEDIUM
MediaWiki < 1.39.16, 1.43.6, 1.44.3, 1.45.1 - Cross-Site Scripting in CommentParser
Feb 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-61658 MEDIUM
Wikimedia Foundation CheckUser <1.43.4-1.44.1 - Info Disclosure
Feb 03, 2026
CVSS 4.3
EPSS 0.00
CVE-2025-61656 MEDIUM
VisualEditor < 1.39.14, 1.43.4, 1.44.1 - Cross-Site Scripting in Clipboard Handler
Feb 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-61655 MEDIUM
Wikimedia Foundation VisualEditor < 1.39.14, 1.43.4, 1.44.1 - Cross-Site Scripting in Save Dialog
Feb 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-61651 MEDIUM
Wikimedia Foundation CheckUser <1.44.1 - XSS
Feb 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-61648 MEDIUM
Wikimedia Foundation CheckUser <1.44.1 - XSS
Feb 03, 2026
CVSS 6.1
EPSS 0.00
Products
mediawiki 395 core 29 cargo 9 checkuser 8 abusefilter 3 visual_editor 3 mobilefrontend 2 abuse-filter 1 createredirect 1 data-transfer 1 matomo 1 mediawik 1 mediawiki_botquery_ext 1 rss_for_mediawiki 1 rssreader 1 score 1 scribunto 1 semantic-media-wiki 1 semantic_drilldown 1 shortdescription 1 skin\ 1 wikisource_category_browser 1
Quick Filters
Critical CVEs With Exploits In CISA KEV