threat
engine
.sh
Back
·
··:··
Home
/
Product
/
dokuwiki
Product
dokuwiki
40 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-26477
all versions
An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remote attacker to cause a denial of service via the media_upload_x
4.3
MEDIUM
CVE-2019-25338
all versions
DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to id
5.3
MEDIUM
CVE-2023-34408
< 2023-04-04a
DokuWiki before 2023-04-04a allows XSS via RSS titles.
5.4
MEDIUM
CVE-2022-3123
< 2022-07-31a
Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a.
6.1
MEDIUM
CVE-2022-28919
all versions
HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _gener
6.1
MEDIUM
CVE-2018-15474
<= 2018-04-22a
CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and e
9.6
CRITICAL
CVE-2017-18123
<= 2017-02-19e
The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a refl
8.6
HIGH
CVE-2017-12980
<= 2017-02-19c
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can
6.1
MEDIUM
CVE-2017-12979
<= 2017-02-19c
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php.
6.1
MEDIUM
CVE-2017-12583
<= 2017-02-19b
DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.
6.1
MEDIUM
CVE-2016-7965
<= 2016-06-26a
DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can
6.5
MEDIUM
CVE-2016-7964
all versions
The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching
8.6
HIGH
CVE-2015-2172
>= 2014-05-05 and < 2014-05-05d
DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote au
CVE-2014-9253
<= 2014-05-05c
The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote
CVE-2014-8764
<= 2013-12-08
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentic
CVE-2014-8763
<= 2014-05-05a
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication
CVE-2014-8762
<= 2013-12-08
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namesp
CVE-2014-8761
<= 2013-12-08
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to acc
CVE-2012-3354
all versions
doku.php in DokuWiki, as used in Fedora 16, 17, and 18, when certain PHP error levels are set, allows remote attackers to obtain s
CVE-2012-2129
all versions
Cross-site scripting (XSS) vulnerability in doku.php in DokuWiki 2012-01-25 Angua allows remote attackers to inject arbitrary web
CVE-2012-2128
all versions
Cross-site request forgery (CSRF) vulnerability in doku.php in DokuWiki 2012-01-25 Angua allows remote attackers to hijack the aut
CVE-2012-0283
<= 2012-01-25a
Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList function in inc/template.php in DokuWiki before 2012-01-25b allo
CVE-2011-3727
all versions
DokuWiki 2009-12-25c allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals th
CVE-2011-2510
<= 2010-11-07a
Cross-site scripting (XSS) vulnerability in the RSS embedding feature in DokuWiki before 2011-05-25a Rincewind allows remote attac
CVE-2010-0289
<= release_2009-02-14
Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 200
CVE-2010-0288
<= release_2009-02-14
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allow
CVE-2010-0287
<= release_2009-02-14
Directory traversal vulnerability in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote at
CVE-2009-1960
all versions
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to
CVE-2007-3930
<= 2007-06-26
Interpretation conflict between Microsoft Internet Explorer and DocuWiki before 2007-06-26b allows remote attackers to inject arbi
CVE-2006-6965
all versions
CRLF injection vulnerability in lib/exe/fetch.php in DokuWiki 2006-03-09e, and possibly earlier, allows remote attackers to inject
CVE-2006-5099
all versions
lib/exec/fetch.php in DokuWiki before 2006-03-09e, when conf[imconvert] is configured to use ImageMagick, allows remote attackers
CVE-2006-5098
all versions
lib/exec/fetch.php in DokuWiki before 2006-03-09e allows remote attackers to cause a denial of service (CPU consumption) via large
CVE-2006-4679
<= release_2006-03-09
DokuWiki before 2006-03-09c enables the debug feature by default, which allows remote attackers to obtain sensitive information by
CVE-2006-4675
<= release_2006-03-09
Unrestricted file upload vulnerability in lib/exe/media.php in DokuWiki before 2006-03-09c allows remote attackers to upload execu
CVE-2006-4674
<= release_2006-03-09
Direct static code injection vulnerability in doku.php in DokuWiki before 2006-030-09c allows remote attackers to execute arbitrar
CVE-2006-2945
<= release_2006-03-09
Unspecified vulnerability in the user profile change functionality in DokuWiki, when Access Control Lists are enabled, allows remo
CVE-2006-2878
<= release_2006-06-04
The spellchecker (spellcheck.php) in DokuWiki 2006/06/04 and earlier allows remote attackers to insert and execute arbitrary PHP c
CVE-2006-1165
all versions
Cross-site scripting (XSS) vulnerability in the mediamanager module in DokuWiki before 2006-03-05 allows remote attackers to injec
CVE-2004-2560
all versions
DokuWiki before 2004-10-19, when used on a web server that permits execution based on file extension, allows remote attackers to e
CVE-2004-2559
all versions
DokuWiki before 2004-10-19 allows remote attackers to access administrative functionality including (1) Mediaselectiondialog, (2)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin