CVE-2019-19709
Description
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki ≤1.33.1 title blacklist bypass by using non-resolvable redirect and redirect=1 parameter in API edit.
Vulnerability
CVE-2019-19709 is a security bypass in MediaWiki up to version 1.33.1 that allows attackers to circumvent the Title_blacklist protection mechanism. The bug occurs when a page is created with an arbitrary title, then a non-resolvable redirect is established for that page, and the page is edited via the action API with the redirect=1 parameter. Under these conditions, the blacklist check is not properly applied, enabling the creation of pages that should be blocked [1][2].
Exploitation
An attacker can exploit this vulnerability by first creating a page with a title that would normally be blocked, setting up a redirect that does not resolve, and then using the API's redirect=1 parameter to edit the page. This bypasses the Title_blacklist filter, which is intended to prevent the creation of malicious or unwanted page titles. The attack does not require any special privileges beyond the ability to create and edit pages [2].
Impact
Successful exploitation allows an attacker to create pages with titles that are explicitly forbidden by the Title_blacklist, such as spam, offensive names, or pages that mimic system functions. This can lead to content policy violations, confusion, and potential abuse of wiki resources [1].
Mitigation
The vulnerability has been patched in MediaWiki version 1.34 and later, and fixes were backported to supported release branches. Users are strongly advised to upgrade to a patched version. The issue was discovered and disclosed through Wikimedia's security process, and a CVE was assigned [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.31.0, < 1.31.6 | 1.31.6 |
mediawiki/corePackagist | >= 1.32.0, < 1.32.6 | 1.32.6 |
mediawiki/corePackagist | >= 1.33.0, < 1.33.2 | 1.33.2 |
mediawiki/corePackagist | >= 1.33.99, < 1.34.0 | 1.34.0 |
Affected products
2- MediaWiki/MediaWikidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-pjv5-vv93-p648ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-19709ghsaADVISORY
- www.debian.org/security/2019/dsa-4592ghsavendor-advisoryx_refsource_DEBIANWEB
- gerrit.wikimedia.org/r/q/Ie54f366986056c876eade0fcad6c41f70b8b8de8ghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-19709.yamlghsaWEB
- phabricator.wikimedia.org/T239466ghsax_refsource_MISCWEB
- seclists.org/bugtraq/2019/Dec/48ghsamailing-listx_refsource_BUGTRAQWEB
News mentions
0No linked articles in our index yet.