mediawiki
456 tracked vulnerabilities.
CVE-2026-14363
CRITICAL
Cargo Extension: SQLi in Special:Drilldown
Jul 01, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-58517
MEDIUM
Blocked users can create and edit WikiLambda objects
Jul 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-14358
MEDIUM
Stored XSS in Wikimedia Chart pie tooltip via Data:*.tab field title
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58521
CRITICAL
SQLi in Cargo extension via year range filter
Jul 01, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-58520
MEDIUM
UrlShortener defaults to ineffective validation open to third-party redirects
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-8857
HIGH
Wikimedia Foundation timeline - Full RCE Using EasyTimeline Extension
Jul 01, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-58038
MEDIUM
Stored XSS through javascript URLs in SVGs generated by EasyTimeline
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58037
MEDIUM
MediaWiki Log Formatting - Cross-Site Scripting
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58036
HIGH
Users API leaks whether privileged users have their user groups disabled for lack of 2FA
Jul 01, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-58033
MEDIUM
MediaWiki InfoAction - Deleted Author Name Exposure
Jul 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-58032
MEDIUM
mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58030
MEDIUM
Wikimedia Foundation SyntaxHighlight_GeSHi - SyntaxHighlight Stored XSS via Unsanitized 'linelinks' Attribute
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58029
MEDIUM
Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata
Jul 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-58028
MEDIUM
Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets
Jul 01, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-58027
MEDIUM
MediaWiki AbuseFilter API - Private Filter Hit Count Disclosure
Jul 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-58026
MEDIUM
$wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces
Jul 01, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-58025
CRITICAL
Remote Code Execution via Unsafe Deserialization in LogItem Import
Jul 01, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-58024
MEDIUM
Wikimedia Foundation MediaWiki - API Identification of Users on Private Wikis
Jul 01, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-13707
HIGH
Session fixation attacks on improperly configured OAuth 1.0a tools
Jul 01, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-13706
HIGH
UrlShortener extension url validation can be bypassed due to difference between php url parsing and WHATWG
Jul 01, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-58035
MEDIUM
Stored XSS through a system message in the codex version of Special:Block
Jul 01, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-58034
MEDIUM
Stored XSS through a system message when blocking a temporary account that's related to other temporary accounts
Jul 01, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-58031
MEDIUM
Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected
Jul 01, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-58519
MEDIUM
The Wikimedia Foundation Mediawiki - Cargo Extension - Stored XSS Through Cargo's Map Format
Jul 01, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-58518
MEDIUM
THE Wikimedia Foundation Mediawiki - RedirectManager Extension < 1.3.3 - Cross-Site Request Forgery (CSRF)
Jul 01, 2026
CVSS 6.3
EPSS 0.00
Products
mediawiki 417
core 29
cargo 12
checkuser 8
abusefilter 3
visual_editor 3
mobilefrontend 2
abuse-filter 1
createredirect 1
data-transfer 1
matomo 1
mediawik 1
mediawiki_botquery_ext 1
rss_for_mediawiki 1
rssreader 1
score 1
scribunto 1
semantic-media-wiki 1
semantic_drilldown 1
shortdescription 1
skin\ 1
wikisource_category_browser 1
Quick Filters