CVE-2020-29007

CRITICAL

MediaWiki Score < 0.3.0 - Remote Code Execution via GNU LilyPond Sandbox Escape

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-29007. PoCs published by seqred-s-a.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2020-29007, a static code injection vulnerability in MediaWiki's Score extension. It explains how arbitrary Scheme code can be executed via Lilypond markup due to the lack of the -dsafe option, leading to remote code execution.

Description

The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code.

Exploits (1)

nomisec WRITEUP
by seqred-s-a · poc
https://github.com/seqred-s-a/cve-2020-29007

This repository provides a detailed technical analysis of CVE-2020-29007, a static code injection vulnerability in MediaWiki's Score extension. It explains how arbitrary Scheme code can be executed via Lilypond markup due to the lack of the -dsafe option, leading to remote code execution.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MediaWiki Score extension (up to 0.3.0)
No auth needed
Prerequisites: Ability to edit any article on the vulnerable wiki
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.0232
EPSS Percentile 81.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
mediawiki/score < 0.3.0
Published Apr 15, 2023
Tracked Since Feb 18, 2026