VYPR
Vendor

MediaWiki

MediaWiki is a free and open-source wiki software system originally developed by Magnus Manske and released for use on Wikipedia on January 25, 2002, and further enhanced by Lee Daniel Crocker, after which development has been coordinated by the Wikimedia Foundation. It powers several wiki hosting websites across the Internet, as well as most websites hosted by the Wikimedia Foundation, including Wikipedia, Wiktionary, Wikimedia Commons, Wikiquote, Wikivoyage, Meta-Wiki and Wikidata, which define a large part of the set requirements for the software.

Founded 2002
Products
82
CVEs
381
Across products
363
Status
Private

Products

82
View all 82 products →

Recent CVEs

381
View all 381 CVEs →
  • CVE-2017-0372CriApr 13, 2018
    risk 0.68cvss 9.8epss 0.12

    Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.

  • CVE-2025-67484CriFeb 3, 2026
    risk 0.64cvss 9.8epss 0.00

    Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

  • CVE-2025-53484CriJul 4, 2025
    risk 0.64cvss 9.8epss 0.00

    User-controlled inputs are improperly escaped in: * VotePage.php (poll option input) * ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names) This allows attackers to inject JavaScript and compromise user sessions under certain…

  • CVE-2017-8809CriNov 15, 2017
    risk 0.64cvss 9.8epss 0.08

    api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability.

  • CVE-2014-9487CriOct 17, 2017
    risk 0.64cvss 9.8epss 0.02

    The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.

  • CVE-2015-8009CriJul 25, 2017
    risk 0.64cvss 9.8epss 0.03

    The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another…

  • CVE-2015-8626CriMar 23, 2017
    risk 0.64cvss 9.8epss 0.02

    The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 generates passwords smaller than $wgMinimalPasswordLength, which makes it easier for remote attackers to obtain access via a brute-force attack.

  • CVE-2025-67478HigFeb 3, 2026
    risk 0.57cvss 8.8epss 0.00

    Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1.

  • CVE-2025-53483HigJul 4, 2025
    risk 0.57cvss 8.8epss 0.00

    ArchivePage.php, UnarchivePage.php, and VoterEligibilityPage#executeClear() do not validate request methods or CSRF tokens, allowing attackers to trigger sensitive actions if an admin visits a malicious site. This issue affects Mediawiki - SecurePoll extension: from 1.39.X…

  • CVE-2017-0367HigApr 13, 2018
    risk 0.57cvss 8.8epss 0.02

    Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure.

  • CVE-2017-0362HigApr 13, 2018
    risk 0.57cvss 8.8epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.

  • CVE-2015-8624HigMar 23, 2017
    risk 0.57cvss 8.8epss 0.01

    The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows…

  • CVE-2015-8623HigMar 23, 2017
    risk 0.57cvss 8.8epss 0.01

    The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack,…

  • CVE-2023-29134HigMar 27, 2024
    risk 0.56cvss 8.6epss 0.01

    An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. There is mishandling of backticks to smartSplit.

  • CVE-2017-0361HigApr 13, 2018
    risk 0.51cvss 7.8epss 0.00

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.

  • CVE-2026-34091HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

  • CVE-2026-34090HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation CheckUser. This issue affects CheckUser: from 1.45.0 before 1.45.2.

  • CVE-2026-34087HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2.

  • CVE-2025-53485HigJul 4, 2025
    risk 0.49cvss 7.5epss 0.00

    SetTranslationHandler.php does not validate that the user is an election admin, allowing any (even unauthenticated) user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing. This issue affects Mediawiki…

  • CVE-2015-8008HigDec 29, 2017
    risk 0.49cvss 7.5epss 0.03

    The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.