threat
engine
.sh
Back
·
··:··
Home
/
Product
/
mediawiki
Product
mediawiki
420 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-34095
< 1.43.7
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/ActionEntr
6.1
MEDIUM
CVE-2026-34094
< 1.43.7
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php.
3.8
LOW
CVE-2026-34093
< 1.43.7
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability i
5.3
MEDIUM
CVE-2026-34092
< 1.43.7
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability i
7.5
HIGH
CVE-2026-34091
< 1.43.7
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects Me
7.5
HIGH
CVE-2026-34090
>= 1.45.0 and < 1.45.2
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation CheckUser. This issue affects Ch
7.5
HIGH
CVE-2026-34088
< 1.43.7
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects Me
7.5
HIGH
CVE-2026-34087
< 1.43.7
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OAT
7.5
HIGH
CVE-2026-39841
< 3.8.7
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Ca
6.1
MEDIUM
CVE-2026-39840
< 3.8.7
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawi
6.1
MEDIUM
CVE-2026-39839
< 3.8.7
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Ca
6.1
MEDIUM
CVE-2026-39837
< 3.8.7
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extensi
5.4
MEDIUM
CVE-2025-67484
>= 1.39.0 and < 1.39.16
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php
9.8
CRITICAL
CVE-2025-67483
>= 1.43.0 and < 1.43.6
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-67481
>= 1.39.0 and < 1.39.16
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-67480
>= 1.39.0 and < 1.39.16
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevision
6.5
MEDIUM
CVE-2025-67478
>= 1.39.0 and < 1.39.14
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php.
8.8
HIGH
CVE-2025-67477
>= 1.44.0 and < 1.44.3
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-67476
>= 1.44.0 and < 1.44.3
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOld
4.3
MEDIUM
CVE-2025-67475
>= 1.39.0 and < 1.39.16
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-61658
>= 1.43.0 and < 1.43.4
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/Globa
4.3
MEDIUM
CVE-2025-61656
>= 1.39.0 and < 1.39.14
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-61655
>= 1.39.0 and < 1.39.14
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-61651
< 1.44.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-61648
< 1.44.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-61646
< 1.39.14
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/Enhanc
5.4
MEDIUM
CVE-2025-61645
< 1.44.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-11261
< 1.39.15
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-61643
< 1.39.14
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/Recent
6.1
MEDIUM
CVE-2025-61642
< 1.39.14
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
6.1
MEDIUM
CVE-2025-61641
< 1.39.14
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages
6.1
MEDIUM
CVE-2025-61640
< 1.39.14
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
4.8
MEDIUM
CVE-2025-61639
< 1.39.14
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is
4.8
MEDIUM
CVE-2025-61638
< 1.39.14
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
4.8
MEDIUM
CVE-2025-61637
< 1.39.14
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
4.8
MEDIUM
CVE-2025-61636
< 1.39.14
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation
4.8
MEDIUM
CVE-2025-61634
< 1.39.14
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTM
3.1
LOW
CVE-2024-47849
all versions
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Med
9.8
CRITICAL
CVE-2024-47847
all versions
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundat
6.1
MEDIUM
CVE-2024-47846
all versions
Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.Th
8.8
HIGH
CVE-2024-47913
< 1.39.9
An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x befo
5.3
MEDIUM
CVE-2024-40605
<= 1.42.1
An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level m
4.8
MEDIUM
CVE-2024-40604
<= 1.42.1
An issue was discovered in the Nimbus skin for MediaWiki through 1.42.1. There is Stored XSS via MediaWiki:Nimbus-sidebar menu and
4.8
MEDIUM
CVE-2024-40603
<= 1.42.1
An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter da
4.3
MEDIUM
CVE-2024-40602
<= 1.42.1
An issue was discovered in the Tempo skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu e
4.8
MEDIUM
CVE-2024-40601
<= 1.42.1
An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules.
6.5
MEDIUM
CVE-2024-40600
<= 1.42.1
An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level me
4.8
MEDIUM
CVE-2024-40599
<= 1.42.1
An issue was discovered in the GuMaxDD skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu
4.8
MEDIUM
CVE-2024-40598
<= 1.42.1
An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log
4.3
MEDIUM
CVE-2024-40597
<= 1.42.1
An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. It can expose suppressed information for log even
7.5
HIGH
CVE-2024-40596
<= 1.42.1
An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The Special:Investigate feature can expose suppre
4.3
MEDIUM
CVE-2024-34507
< 1.39.7
An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.
7.4
HIGH
CVE-2024-34506
< 1.39.7
An issue was discovered in includes/specials/SpecialMovePage.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x befo
7.5
HIGH
CVE-2024-34502
< 1.39.6
An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Spec
9.8
CRITICAL
CVE-2024-34500
< 1.39.6
An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41
6.1
MEDIUM
CVE-2024-23179
< 1.40.2
An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i
6.1
MEDIUM
CVE-2024-23178
< 1.40.2
An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-p
5.4
MEDIUM
CVE-2024-23177
< 1.40.2
An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics p
6.1
MEDIUM
CVE-2024-23174
< 1.35.14
An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x b
5.4
MEDIUM
CVE-2024-23173
< 1.35.14
An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before
6.1
MEDIUM
CVE-2024-23172
< 1.35.14
An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x be
5.4
MEDIUM
CVE-2024-23171
< 1.35.14
An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40
5.4
MEDIUM
CVE-2023-51704
< 1.35.14
An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/lo
6.1
MEDIUM
CVE-2023-45362
< 1.35.12
An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x befor
4.3
MEDIUM
CVE-2023-45360
< 1.35.12
An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS i
5.4
MEDIUM
CVE-2023-45374
< 1.35.12
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x
5.3
MEDIUM
CVE-2023-45373
< 1.35.12
An issue was discovered in the ProofreadPage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40
6.1
MEDIUM
CVE-2023-45372
< 1.35.12
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x be
5.3
MEDIUM
CVE-2023-45371
< 1.35.12
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x be
7.5
HIGH
CVE-2023-45370
< 1.35.12
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x
5.3
MEDIUM
CVE-2023-45369
< 1.35.12
An issue was discovered in the PageTriage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x
4.3
MEDIUM
CVE-2023-45367
< 1.35.12
An issue was discovered in the CheckUser extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x b
6.5
MEDIUM
CVE-2023-45364
>= 1.36.0 and < 1.39.5
An issue was discovered in includes/page/Article.php in MediaWiki 1.36.x through 1.39.x before 1.39.5 and 1.40.x before 1.40.1. De
5.3
MEDIUM
CVE-2023-45363
< 1.35.12
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40
7.5
HIGH
CVE-2023-3550
all versions
Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file upload
7.3
HIGH
CVE-2023-36674
< 1.35.11
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before
5.3
MEDIUM
CVE-2023-37305
<= 1.39.3
An issue was discovered in the ProofreadPage (aka Proofread Page) extension for MediaWiki through 1.39.3. In includes/Page/PageCon
5.3
MEDIUM
CVE-2023-37304
<= 1.39.3
An issue was discovered in the DoubleWiki extension for MediaWiki through 1.39.3. includes/DoubleWiki.php allows XSS via the colum
5.4
MEDIUM
CVE-2023-37303
<= 1.39.3
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to block a user
9.8
CRITICAL
CVE-2023-37302
<= 1.39.3
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attri
6.1
MEDIUM
CVE-2023-37301
<= 1.39.3
An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn't use EditEntity for undo
5.3
MEDIUM
CVE-2023-37300
<= 1.39.3
An issue was discovered in the CheckUserLog API in the CheckUser extension for MediaWiki through 1.39.3. There is incorrect access
5.3
MEDIUM
CVE-2023-37256
<= 1.39.3
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. It allows one to store javascript: URLs in URL fields
6.1
MEDIUM
CVE-2023-37255
<= 1.39.3
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits"
6.1
MEDIUM
CVE-2023-37254
<= 1.39.3
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted pag
6.1
MEDIUM
CVE-2023-37251
<= 1.39.3
An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser f
6.1
MEDIUM
CVE-2023-36675
< 1.35.11
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormat
6.1
MEDIUM
CVE-2022-41766
< 1.35.8
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=roll
4.3
MEDIUM
CVE-2021-30153
< 1.31.13
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When
4.3
MEDIUM
CVE-2023-29141
< 1.35.10
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block
9.8
CRITICAL
CVE-2023-29140
<= 1.39.3
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for
5.3
MEDIUM
CVE-2023-29139
<= 1.39.3
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. When a user with checkuserlog permissions makes m
6.5
MEDIUM
CVE-2023-29137
<= 1.39.3
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperimen
4.3
MEDIUM
CVE-2017-20175
>= 2.4.0 and < 2.4.3
A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2 on MediaWiki. This af
2.6
LOW
CVE-2022-39193
all versions
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose i
5.3
MEDIUM
CVE-2023-22912
< 1.35.9
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser Token
5.3
MEDIUM
CVE-2023-22910
< 1.35.9
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in
5.4
MEDIUM
CVE-2022-47927
< 1.35.9
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing
5.5
MEDIUM
CVE-2023-22945
<= 1.39.0
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in Api
4.3
MEDIUM
CVE-2023-22911
< 1.35.9
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does
6.1
MEDIUM
CVE-2023-22909
< 1.35.9
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHi
5.3
MEDIUM
CVE-2022-41767
< 1.35.8
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made b
5.3
MEDIUM
CVE-2022-41765
< 1.35.8
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField e
5.3
MEDIUM
CVE-2021-44856
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter
5.3
MEDIUM
CVE-2021-44855
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via
5.4
MEDIUM
CVE-2021-44854
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches r
5.3
MEDIUM
CVE-2021-42049
<= 1.36.2
An issue was discovered in the Translate extension in MediaWiki through 1.36.2. Oversighters cannot undo revisions or oversight on
6.5
MEDIUM
CVE-2021-42048
<= 1.36.2
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Ne
4.8
MEDIUM
CVE-2021-42047
<= 1.36.2
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled
5.4
MEDIUM
CVE-2021-42046
<= 1.36.2
An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages wer
6.1
MEDIUM
CVE-2021-42045
<= 1.36.2
An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create aler
5.4
MEDIUM
CVE-2022-28204
>= 1.37.0 and < 1.37.2
A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere
7.5
HIGH
CVE-2022-28203
< 1.35.6
A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many fil
7.5
HIGH
CVE-2022-28201
< 1.35.6
An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface p
4.4
MEDIUM
CVE-2022-39194
<= 1.38.2
An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension cou
4.9
MEDIUM
CVE-2022-34912
< 1.37.3
An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contribution
6.1
MEDIUM
CVE-2022-34911
< 1.35.7
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in co
6.1
MEDIUM
CVE-2022-34750
<= 1.38.1
An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand chara
7.5
HIGH
CVE-2022-28323
<= 1.37.2
An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is suppor
7.5
HIGH
CVE-2022-29907
<= 1.37.2
The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messag
6.1
MEDIUM
CVE-2022-29906
<= 1.37.2
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omit
9.8
CRITICAL
CVE-2022-29905
<= 1.37.2
The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSR
4.3
MEDIUM
CVE-2022-29904
<= 1.37.2
The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injectio
9.8
CRITICAL
CVE-2022-29903
<= 1.37.2
The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editi
4.3
MEDIUM
CVE-2022-29547
< 2022-04-14
The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the
7.5
HIGH
CVE-2022-28209
<= 1.37.1
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is
9.8
CRITICAL
CVE-2022-28206
<= 1.37.1
An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check fo
9.8
CRITICAL
CVE-2022-28205
<= 1.37.1
An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the f
9.8
CRITICAL
CVE-2022-28202
< 1.35.6
An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheig
6.1
MEDIUM
CVE-2017-0371
< 1.23.16
MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP
7.5
HIGH
CVE-2021-46150
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Special:CheckUserLog allows Ch
4.8
MEDIUM
CVE-2021-46149
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A denial of service (resource
7.5
HIGH
CVE-2021-46148
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Some unprivileged users can vi
6.5
MEDIUM
CVE-2021-46147
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
8.8
HIGH
CVE-2021-46146
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The WikibaseMediaInfo componen
5.4
MEDIUM
CVE-2021-45474
<= 1.37
In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.
6.1
MEDIUM
CVE-2021-45473
<= 1.3.7
In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which is triggered upon a visit to an action=info URL (aka a page
6.1
MEDIUM
CVE-2021-45472
<= 1.37
In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a
6.1
MEDIUM
CVE-2021-45471
<= 1.37
In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items.
5.3
MEDIUM
CVE-2021-44858
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=e
7.5
HIGH
CVE-2021-45038
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback qu
5.3
MEDIUM
CVE-2021-44857
< 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=m
6.5
MEDIUM
CVE-2021-41801
< 1.31.16
The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a repla
8.8
HIGH
CVE-2021-41800
< 1.36.2
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Speci
5.3
MEDIUM
CVE-2021-41799
< 1.36.2
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). ApiQueryBackli
7.5
HIGH
CVE-2021-41798
< 1.36.2
MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search resul
6.1
MEDIUM
CVE-2021-42044
<= 1.36.2
An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperime
4.8
MEDIUM
CVE-2021-42043
<= 1.36.2
An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a pa
6.1
MEDIUM
CVE-2021-42042
<= 1.36.2
An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexper
4.8
MEDIUM
CVE-2021-42041
<= 1.36.2
An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly saniti
6.1
MEDIUM
CVE-2021-42040
<= 1.36.2
An issue was discovered in MediaWiki through 1.36.2. A parser function related to loop control allowed for an infinite loop (and p
7.5
HIGH
CVE-2021-31556
<= 1.35.2
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that
9.8
CRITICAL
CVE-2021-36132
<= 1.36
An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFile
8.8
HIGH
CVE-2021-36131
<= 1.36
An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged use
4.8
MEDIUM
CVE-2021-36130
<= 1.36
An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a
4.8
MEDIUM
CVE-2021-36129
<= 1.36
An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not valid
4.3
MEDIUM
CVE-2021-36128
<= 1.36
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Autoblocks for CentralAuth-issued suppression bloc
9.8
CRITICAL
CVE-2021-36127
<= 1.36
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search
4.3
MEDIUM
CVE-2021-36126
<= 1.36
An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36. If the MediaWiki:Abusefilter-blocker message is in
9.8
CRITICAL
CVE-2021-36125
<= 1.36
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalRenameRequest page is vulnerable
7.5
HIGH
CVE-2021-35197
< 1.31.15
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API acces
7.5
HIGH
CVE-2021-31555
<= 1.35.2
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_regis
7.5
HIGH
CVE-2021-31554
<= 1.35.2
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certai
5.4
MEDIUM
CVE-2021-31553
<= 1.35.2
An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace coul
6.5
MEDIUM
CVE-2021-31552
<= 1.35.2
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related t
5.4
MEDIUM
CVE-2021-31551
<= 1.35.2
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query paramete
6.1
MEDIUM
CVE-2021-31550
<= 1.35.2
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious
5.4
MEDIUM
CVE-2021-31549
<= 1.35.2
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed fo
4.3
MEDIUM
CVE-2021-31548
<= 1.35.2
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or wa
6.5
MEDIUM
CVE-2021-31547
<= 1.35.2
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppresse
4.3
MEDIUM
CVE-2021-31546
<= 1.35.2
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly logged sensitive suppression del
4.3
MEDIUM
CVE-2021-31545
<= 1.35.2
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The page_recent_contributors leaked the existen
5.3
MEDIUM
CVE-2021-30159
< 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restriction
4.3
MEDIUM
CVE-2021-30156
< 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a
4.3
MEDIUM
CVE-2021-30155
< 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if
4.3
MEDIUM
CVE-2021-30152
< 1.31.13
An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "prot
4.3
MEDIUM
CVE-2021-30158
< 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Speci
5.3
MEDIUM
CVE-2021-30157
< 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as
6.1
MEDIUM
CVE-2021-30154
< 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediasta
6.1
MEDIUM
CVE-2020-29005
<= 1.35
The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential informatio
7.5
HIGH
CVE-2020-29004
<= 1.35
The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitate
8.8
HIGH
CVE-2020-35626
<= 1.35.1
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF
8.8
HIGH
CVE-2020-35625
<= 1.35.1
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the
8.8
HIGH
CVE-2020-35624
<= 1.35.1
An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote tim
5.3
MEDIUM
CVE-2020-35623
<= 1.35.1
An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed use
7.5
HIGH
CVE-2020-35622
<= 1.35.1
An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForei
6.1
MEDIUM
CVE-2020-35480
< 1.35.1
An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have
5.3
MEDIUM
CVE-2020-35479
>= 1.12.0 and < 1.35.1
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code pa
6.1
MEDIUM
CVE-2020-35478
>= 1.33.0 and < 1.35.1
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with
6.1
MEDIUM
CVE-2020-35477
< 1.35.1
MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Speci
5.3
MEDIUM
CVE-2020-35475
< 1.35.1
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen
7.5
HIGH
CVE-2020-35474
< 1.35.1
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki
6.1
MEDIUM
CVE-2020-29003
<= 1.35
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:Create
5.4
MEDIUM
CVE-2020-29002
<= 1.35
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an
4.8
MEDIUM
CVE-2020-27957
<= 1.35
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieti
5.4
MEDIUM
CVE-2020-27621
<= 1.35.0
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP a
4.3
MEDIUM
CVE-2020-26121
< 1.34.4
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the tar
7.5
HIGH
CVE-2020-26120
< 1.34.4
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section lin
6.1
MEDIUM
CVE-2020-25869
< 1.31.10
An information leak was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. Handling of actor ID does
7.5
HIGH
CVE-2020-25828
>= 1.32.0 and < 1.34.4
An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.messa
6.1
MEDIUM
CVE-2020-25827
< 1.31.10
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis u
7.5
HIGH
CVE-2020-25815
>= 1.32.0 and < 1.34.4
An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message
6.1
MEDIUM
CVE-2020-25814
< 1.31.10
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a messa
6.1
MEDIUM
CVE-2020-25813
< 1.31.10
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
5.3
MEDIUM
CVE-2020-25812
>= 1.34.0 and < 1.34.4
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys
6.1
MEDIUM
CVE-2020-15005
< 1.31.8
In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using
3.1
LOW
CVE-2020-10959
< 1.35
resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redire
6.1
MEDIUM
CVE-2020-12051
all versions
The CentralAuth extension through REL1_34 for MediaWiki allows remote attackers to obtain sensitive hidden account information via
7.5
HIGH
CVE-2020-10960
< 1.34.1
In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or
5.3
MEDIUM
CVE-2019-16528
all versions
An issue was discovered in the AbuseFilter extension for MediaWiki. includes/special/SpecialAbuseLog.php allows attackers to obtai
7.5
HIGH
CVE-2019-16529
<= 1.35
An issue was discovered in the CheckUser extension through 1.35.0 for MediaWiki. Oversighted edit summaries are still visible in C
5.3
MEDIUM
CVE-2019-15124
all versions
In the MobileFrontend extension for MediaWiki, XSS exists within the edit summary field of the watchlist feed. This affects REL1_3
6.1
MEDIUM
CVE-2020-10534
<= 1.34.0
In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted i
9.8
CRITICAL
CVE-2012-4381
< 1.18.5
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for contex
8.1
HIGH
CVE-2013-4572
< 1.19.9
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control hea
7.5
HIGH
CVE-2013-6455
< 1.19.10
The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to ob
5.3
MEDIUM
CVE-2013-6451
>= 1.19.9 and < 1.19.10
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows r
6.1
MEDIUM
CVE-2014-9481
< 1.19.23
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive informatio
5.9
MEDIUM
CVE-2020-6163
all versions
The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWi
6.1
MEDIUM
CVE-2019-19910
all versions
The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 and/or 1.34) mishandles certain HTML attributes, as demonstr
6.1
MEDIUM
CVE-2013-4303
>= 1.19.0 and < 1.19.8
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1
6.1
MEDIUM
CVE-2019-19709
<= 1.33.1
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title,
6.1
MEDIUM
CVE-2019-19708
<= 1.34
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard
6.1
MEDIUM
CVE-2013-1817
< 1.19.4
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain s
7.5
HIGH
CVE-2013-1816
< 1.19.4
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sendi
7.5
HIGH
CVE-2019-18987
<= 1.34
An issue was discovered in the AbuseFilter extension through 1.34 for MediaWiki. Once a specific abuse filter has (accidentally or
5.3
MEDIUM
CVE-2013-1951
< 1.19.5
A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inje
6.1
MEDIUM
CVE-2019-18612
<= 1.34
An issue was discovered in the AbuseFilter extension through 1.34 for MediaWiki. Previously hidden (restricted) AbuseFilter filter
5.3
MEDIUM
CVE-2019-18611
<= 1.34
An issue was discovered in the CheckUser extension through 1.34 for MediaWiki. Certain sensitive information within oversighted ed
6.5
MEDIUM
CVE-2012-0046
< 1.17.2
mediawiki allows deleted text to be exposed
7.5
HIGH
CVE-2019-16738
>= 1.31.0 and < 1.31.4
In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.
5.3
MEDIUM
CVE-2019-14807
>= 1.31.0 and <= 1.33.0
In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/Mob
6.1
MEDIUM
CVE-2019-12470
< 1.27.6
Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2
6.5
MEDIUM
CVE-2019-12469
< 1.27.6
MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2
6.5
MEDIUM
CVE-2019-12474
>= 1.23.0 and < 1.27.6
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change h
7.5
HIGH
CVE-2019-12473
>= 1.27.0 and < 1.27.6
Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the ent
7.5
HIGH
CVE-2019-12472
>= 1.18.0 and < 1.27.6
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the lim
7.5
HIGH
CVE-2019-12471
>= 1.30.0 and < 1.30.2
Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the
6.1
MEDIUM
CVE-2019-12466
<= 1.32.1
Wikimedia MediaWiki through 1.32.1 allows CSRF.
8.8
HIGH
CVE-2019-12468
>= 1.27.0 and <= 1.32.1
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:Chan
9.8
CRITICAL
CVE-2019-12467
< 1.27.6
MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with
5.3
MEDIUM
CVE-2018-13258
>= 1.31.0 and <= 1.31.1
Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web
5.3
MEDIUM
CVE-2018-0505
>= 1.31.0 and < 1.31.1
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock
6.5
MEDIUM
CVE-2018-0504
>= 1.31.0 and < 1.31.1
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid
6.5
MEDIUM
CVE-2018-0503
>= 1.31.0 and < 1.31.1
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry f
4.3
MEDIUM
CVE-2014-1686
all versions
MediaWiki 1.18.0 allows remote attackers to obtain the installation path via vectors related to thumbnail creation.
5.3
MEDIUM
CVE-2017-0372
<= 1.23.15
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vuln
9.8
CRITICAL
CVE-2017-0370
>= 1.23.0 and <= 1.23.16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam blacklist is ineffective on encoded URLs inside file inclusio
5.3
MEDIUM
CVE-2017-0369
>= 1.23.0 and <= 1.23.16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a sysops to undelete pages, although the page is protected ag
6.5
MEDIUM
CVE-2017-0368
>= 1.23.0 and <= 1.23.16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages.
5.3
MEDIUM
CVE-2017-0367
>= 1.27.0 and < 1.27.2
Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default t
8.8
HIGH
CVE-2017-0366
>= 1.23.0 and <= 1.23.16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD decl
5.4
MEDIUM
CVE-2017-0365
>= 1.23.0 and <= 1.23.16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default con
4.7
MEDIUM
CVE-2017-0364
>= 1.23.0 and <= 1.23.16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link.
6.1
MEDIUM
CVE-2017-0363
>= 1.23.0 and <= 1.23.16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sit
6.1
MEDIUM
CVE-2017-0362
>= 1.23.0 and <= 1.23.16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a
8.8
HIGH
CVE-2017-0361
>= 1.23.0 and <= 1.23.16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in p
7.8
HIGH
CVE-2015-8008
< 1.25.3
The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attacker
7.5
HIGH
CVE-2017-8815
<= 1.27.3
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attac
7.5
HIGH
CVE-2017-8814
<= 1.27.3
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text
7.5
HIGH
CVE-2017-8812
<= 1.27.3
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) charact
5.3
MEDIUM
CVE-2017-8811
<= 1.27.3
The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 a
6.1
MEDIUM
CVE-2017-8810
<= 1.27.3
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different err
7.5
HIGH
CVE-2017-8809
<= 1.27.3
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability.
9.8
CRITICAL
CVE-2017-8808
<= 1.27.3
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false
6.1
MEDIUM
CVE-2012-4378
<= 1.18.4
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScri
6.1
MEDIUM
CVE-2012-4377
<= 1.18.4
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arb
6.1
MEDIUM
CVE-2012-4382
<= 1.18.4
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrator
4.9
MEDIUM
CVE-2012-4380
<= 1.18.4
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking a
7.5
HIGH
CVE-2012-4379
<= 1.18.4
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote att
6.5
MEDIUM
CVE-2014-9487
all versions
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause
9.8
CRITICAL
CVE-2015-8009
<= 1.23.10
The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and befor
9.8
CRITICAL
CVE-2016-6337
all versions
MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to
7.5
HIGH
CVE-2016-6336
<= 1.23.14
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissio
6.5
MEDIUM
CVE-2016-6335
<= 1.23.14
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given ti
7.5
HIGH
CVE-2016-6334
<= 1.23.14
Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.
6.1
MEDIUM
CVE-2016-6333
<= 1.23.14
Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4
6.1
MEDIUM
CVE-2016-6332
<= 1.23.14
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote a
7.5
HIGH
CVE-2016-6331
<= 1.23.14
ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended pe
7.5
HIGH
CVE-2015-8628
<= 1.23.11
The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages
5.3
MEDIUM
CVE-2015-8627
<= 1.23.11
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addres
5.3
MEDIUM
CVE-2015-8626
<= 1.23.11
The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.
9.8
CRITICAL
CVE-2015-8625
<= 1.23.11
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters
7.5
HIGH
CVE-2015-8624
<= 1.23.11
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, an
8.8
HIGH
CVE-2015-8623
<= 1.23.11
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token
8.8
HIGH
CVE-2015-8622
<= 1.23.11
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x befor
6.1
MEDIUM
CVE-2015-8005
<= 1.23.10
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, whi
CVE-2015-8004
<= 1.23.10
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which all
CVE-2015-8003
<= 1.23.10
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authe
CVE-2015-8002
<= 1.23.10
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authe
CVE-2015-8001
<= 1.23.10
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict t
CVE-2015-6734
<= 1.23.9
Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and Me
CVE-2015-6733
<= 1.23.9
GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2
CVE-2015-6730
<= 1.23.9
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2
CVE-2015-6729
<= 1.23.9
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2
CVE-2015-6728
<= 1.23.9
The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perfor
CVE-2015-6727
<= 1.23.9
The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote at
CVE-2013-7444
<= 1.22.0
The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Ch
CVE-2015-2942
<= 1.19.23
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial
CVE-2015-2941
<= 1.19.23
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHV
CVE-2015-2940
all versions
Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the aut
CVE-2015-2938
<= 1.19.23
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote a
CVE-2015-2937
<= 1.19.23
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM or Zend PHP, allows remote attackers to ca
CVE-2015-2936
all versions
MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU
CVE-2015-2935
<= 1.19.23
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obt
CVE-2015-2934
<= 1.19.23
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_pars
CVE-2015-2933
<= 1.19.23
Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24
CVE-2015-2932
<= 1.19.23
Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attacke
CVE-2015-2931
<= 1.19.23
Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x b
CVE-2014-9480
<= 1.19.22
Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web
CVE-2014-9479
<= 1.19.22
Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to
CVE-2014-9478
<= 1.19.22
Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to
CVE-2014-9477
<= 1.19.22
Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbit
CVE-2014-9476
<= 1.19.22
MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions
CVE-2014-9475
<= 1.19.22
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and
CVE-2014-9507
<= 1.19.21
MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers
CVE-2014-9277
<= 1.19.21
The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.
CVE-2014-9276
<= 1.19.21
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through
CVE-2014-7295
<= 1.19.19
The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1
CVE-2014-7199
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x before 1.22.11, and 1.23.x before 1.23.4 allows remot
CVE-2014-5243
<= 1.19.17
MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mech
CVE-2014-5242
all versions
Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and 1.23.x before
CVE-2014-5241
<= 1.19.17
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x
CVE-2014-3966
<= 1.19.15
Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x b
CVE-2013-1818
<= 1.20.2
maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2012-5395
<= 1.18.5
Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1
CVE-2012-5391
<= 1.18.5
Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 all
CVE-2014-3455
<= 1.19.9
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4)
CVE-2014-3454
<= 1.19.9
Cross-site request forgery (CSRF) vulnerability in Special:CreateCategory in the SemanticForms extension for MediaWiki before 1.19
CVE-2013-6472
<= 1.19.9
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted
CVE-2013-6454
<= 1.19.9
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote a
CVE-2013-6453
<= 1.19.9
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote a
CVE-2013-6452
<= 1.19.9
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote a
CVE-2013-4574
<= 1.19.9
Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1
CVE-2013-4571
<= 1.19.9
Buffer overflow in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1
CVE-2013-4570
<= 1.19.9
The zend_inline_hash_func function in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4,
CVE-2014-2853
<= 1.21.8
Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 al
CVE-2014-2665
<= 1.19.13
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5
CVE-2014-2244
<= 1.19.11
Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12,
CVE-2014-2243
<= 1.19.11
includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of
CVE-2014-2242
<= 1.19.11
includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not pre
CVE-2014-1610
all versions
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled,
CVE-2013-4304
all versions
The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid Centra
CVE-2013-4569
<= 1.19.8
The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3, when "Group changes by pag
CVE-2013-4568
<= 1.19.8
Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21
CVE-2013-4567
<= 1.19.8
Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21
CVE-2012-5394
<= 1.19.8
Cross-site request forgery (CSRF) vulnerability in the CentralAuth extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, an
CVE-2013-4573
all versions
Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess extension for MediaWiki 1.19.x before 1.19.9, 1.20.x before
CVE-2013-2114
all versions
Unrestricted file upload vulnerability in the chunk upload API in MediaWiki 1.19 through 1.19.6 and 1.20.x before 1.20.6 allows re
CVE-2013-2032
<= 1.19.5
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:
CVE-2013-2031
<= 1.19.5
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonst
CVE-2013-4302
all versions
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and
CVE-2013-4301
all versions
includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.
CVE-2013-4306
>= 1.19.0 and < 1.19.8
Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Ch
CVE-2013-4305
all versions
Cross-site scripting (XSS) vulnerability in contrib/example.php in the SyntaxHighlight GeSHi extension for MediaWiki, possibly as
CVE-2013-4307
all versions
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x
CVE-2012-4885
all versions
The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of servic
CVE-2012-1582
all versions
Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows
CVE-2012-1581
all versions
MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random numbers for password reset tokens, which makes it easier
CVE-2012-1580
all versions
Cross-site request forgery (CSRF) vulnerability in Special:Upload in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allow
CVE-2012-1579
all versions
The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a Java
CVE-2012-1578
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allow remote
CVE-2012-2698
<= 1.17.4
Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.
CVE-2011-4361
< 1.17.1
MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to
CVE-2011-4360
< 1.17.1
MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involvi
CVE-2011-1766
<= 1.16.4
includes/User.php in MediaWiki before 1.16.5, when wgBlockDisablesLogin is enabled, does not clear certain cached data after verif
CVE-2011-1765
<= 1.16.4
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, when Internet Explorer 6 or earlier is used, allows remote at
CVE-2011-1587
<= 1.16.3
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote at
CVE-2011-1580
<= 1.16.2
The transwiki import functionality in MediaWiki before 1.16.3 does not properly check privileges, which allows remote authenticate
CVE-2011-1579
<= 1.16.2
The checkCss function in includes/Sanitizer.php in the wikitext parser in MediaWiki before 1.16.3 does not properly validate Casca
CVE-2011-1578
<= 1.16.2
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote at
CVE-2010-2789
all versions
PHP remote file inclusion vulnerability in MediaWikiParserTest.php in MediaWiki 1.16 beta, when register_globals is enabled, allow
CVE-2010-2788
<= 1.15.4
Cross-site scripting (XSS) vulnerability in profileinfo.php in MediaWiki before 1.15.5, when wgEnableProfileInfo is enabled, allow
CVE-2010-2787
<= 1.15.4
api.php in MediaWiki before 1.15.5 does not prevent use of public caching headers for private data, which allows remote attackers
CVE-2011-0537
all versions
Multiple directory traversal vulnerabilities in (1) languages/Language.php and (2) includes/StubObject.php in MediaWiki 1.8.0 and
CVE-2011-0047
<= 1.16.1
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML
CVE-2011-0003
<= 1.16.0
MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled, allows remote attackers to conduct clickjacking attacks v
CVE-2010-1648
all versions
Cross-site request forgery (CSRF) vulnerability in the login interface in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3
CVE-2010-1647
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to in
CVE-2010-1150
<= 1.15.2
MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login att
CVE-2010-1190
<= 1.15.1
thumb.php in MediaWiki before 1.15.2, when used with access-restriction mechanisms such as img_auth.php, does not check user permi
CVE-2010-1189
<= 1.15.1
MediaWiki before 1.15.2 does not prevent wiki editors from linking to images from other web sites in wiki pages, which allows edit
CVE-2009-4589
all versions
Cross-site scripting (XSS) vulnerability in the Special:Block implementation in the getContribsLink function in SpecialBlockip.php
CVE-2009-0737
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12,
CVE-2008-5688
all versions
MediaWiki 1.8.1, and other versions before 1.13.3, when the wgShowExceptionDetails variable is enabled, sometimes provides the ful
CVE-2008-5687
all versions
MediaWiki 1.11, and other versions before 1.13.3, does not properly protect against the download of backups of deleted images, whi
CVE-2008-5252
all versions
Cross-site request forgery (CSRF) vulnerability in the Special:Import feature in MediaWiki 1.3.0 through 1.6.10, 1.12.x before 1.1
CVE-2008-5250
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet
CVE-2008-5249
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.0 through 1.13.2 allows remote attackers to inject arbitrary web script
CVE-2008-4408
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0, and possibly other versions before 1.13.2 allows remote atta
CVE-2008-1318
all versions
Unspecified vulnerability in MediaWiki 1.11 before 1.11.2 allows remote attackers to obtain sensitive "cross-site" information via
CVE-2008-0460
all versions
Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through 1.9.
CVE-2007-4883
all versions
Cross-site scripting (XSS) vulnerability in the BotQuery extension in MediaWiki 1.7.x and earlier before SVN 20070910 allows remot
CVE-2007-4828
all versions
Cross-site scripting (XSS) vulnerability in the API pretty-printing mode in MediaWiki 1.8.0 through 1.8.4, 1.9.0 through 1.9.3, 1.
CVE-2007-1055
<= 1.8.2
Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.9.x before 1.9.0rc2, and 1.8.2 and earli
CVE-2007-1054
<= 1.8.2
Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.6.x through 1.9.2, when $wgUseAjax is en
CVE-2007-0894
all versions
MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information via a direct request to (1) Simple.deps.php, (2) Mo
CVE-2007-0788
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki 1.9.x before 1.9.2 allows remote attackers to inject arbitrary web script or
CVE-2007-0177
all versions
Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9
CVE-2006-2895
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki 1.6.0 up to versions before 1.6.7 allows remote attackers to inject arbitrar
CVE-2006-2611
<= 1.6.5_r14348
Cross-site scripting (XSS) vulnerability in includes/Sanitizer.php in the variable handler in MediaWiki 1.6.x before r14349 allows
CVE-2006-1498
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.5.8 and 1.4.15 allows remote attackers to inject arbitrary web scri
CVE-2006-0322
all versions
Unspecified vulnerability the edit comment formatting functionality in MediaWiki 1.5.x before 1.5.6 and 1.4.x before 1.4.14 allows
CVE-2005-4501
<= 1.5.3
MediaWiki before 1.5.4 uses a hard-coded "internal placeholder string", which allows remote attackers to bypass protection against
CVE-2005-4031
all versions
Eval injection vulnerability in MediaWiki 1.5.x before 1.5.3 allows remote attackers to execute arbitrary PHP code via the "user l
CVE-2005-3167
all versions
Incomplete blacklist vulnerability in MediaWiki before 1.4.11 does not properly remove certain CSS inputs (HTML inline style attri
CVE-2005-3166
all versions
Unspecified vulnerability in "edit submission handling" for MediaWiki 1.4.x before 1.4.10 and 1.3.x before 1.3.16 allows remote at
CVE-2005-3165
all versions
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.4.9 allow remote attackers to inject arbitrary web scrip
CVE-2005-2396
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and earlier allows remote attackers to inject arbitrary web script or
CVE-2005-2215
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.x before 1.4.6 and 1.5 before 1.5beta3 allows remote attackers to
CVE-2005-1888
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.5 allows remote attackers to inject arbitrary web script via HTML
CVE-2005-1245
all versions
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.2, when using HTML Tidy ($wgUseTidy), allows remote attackers to
CVE-2005-0536
all versions
Directory traversal vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to delete a
CVE-2005-0534
all versions
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allow remote atta
CVE-2005-0535
all versions
Cross-site request forgery (CSRF) vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attacke
CVE-2004-2187
all versions
Unknown vulnerability in ImagePage for MediaWiki 1.3.5, related to "filename validation," has unknown impact and attack vectors.
CVE-2004-2186
all versions
SQL injection vulnerability in MediaWiki 1.3.5 allows remote attackers to execute arbitrary SQL commands via SpecialMaintenance.
CVE-2004-2185
all versions
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.5 allow remote attackers to execute arbitrary scripts and/or
CVE-2004-2152
all versions
Cross-site scripting (XSS) vulnerability in 'raw' page output mode for MediaWiki 1.3.4 and earlier allows remote attackers to inje
CVE-2004-1405
all versions
MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin