mediawiki

456 tracked vulnerabilities.

CVE-2026-14363 CRITICAL
Cargo Extension: SQLi in Special:Drilldown
Jul 01, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-58517 MEDIUM
Blocked users can create and edit WikiLambda objects
Jul 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-14358 MEDIUM
Stored XSS in Wikimedia Chart pie tooltip via Data:*.tab field title
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58521 CRITICAL
SQLi in Cargo extension via year range filter
Jul 01, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-58520 MEDIUM
UrlShortener defaults to ineffective validation open to third-party redirects
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-8857 HIGH
Wikimedia Foundation timeline - Full RCE Using EasyTimeline Extension
Jul 01, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-58038 MEDIUM
Stored XSS through javascript URLs in SVGs generated by EasyTimeline
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58037 MEDIUM
MediaWiki Log Formatting - Cross-Site Scripting
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58036 HIGH
Users API leaks whether privileged users have their user groups disabled for lack of 2FA
Jul 01, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-58033 MEDIUM
MediaWiki InfoAction - Deleted Author Name Exposure
Jul 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-58032 MEDIUM
mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58030 MEDIUM
Wikimedia Foundation SyntaxHighlight_GeSHi - SyntaxHighlight Stored XSS via Unsanitized 'linelinks' Attribute
Jul 01, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-58029 MEDIUM
Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata
Jul 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-58028 MEDIUM
Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets
Jul 01, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-58027 MEDIUM
MediaWiki AbuseFilter API - Private Filter Hit Count Disclosure
Jul 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-58026 MEDIUM
$wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces
Jul 01, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-58025 CRITICAL
Remote Code Execution via Unsafe Deserialization in LogItem Import
Jul 01, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-58024 MEDIUM
Wikimedia Foundation MediaWiki - API Identification of Users on Private Wikis
Jul 01, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-13707 HIGH
Session fixation attacks on improperly configured OAuth 1.0a tools
Jul 01, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-13706 HIGH
UrlShortener extension url validation can be bypassed due to difference between php url parsing and WHATWG
Jul 01, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-58035 MEDIUM
Stored XSS through a system message in the codex version of Special:Block
Jul 01, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-58034 MEDIUM
Stored XSS through a system message when blocking a temporary account that's related to other temporary accounts
Jul 01, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-58031 MEDIUM
Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected
Jul 01, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-58519 MEDIUM
The Wikimedia Foundation Mediawiki - Cargo Extension - Stored XSS Through Cargo's Map Format
Jul 01, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-58518 MEDIUM
THE Wikimedia Foundation Mediawiki - RedirectManager Extension < 1.3.3 - Cross-Site Request Forgery (CSRF)
Jul 01, 2026
CVSS 6.3
EPSS 0.00