Vendor
MediaWiki
MediaWiki is a free and open-source wiki software system originally developed by Magnus Manske and released for use on Wikipedia on January 25, 2002, and further enhanced by Lee Daniel Crocker, after which development has been coordinated by the Wikimedia Foundation. It powers several wiki hosting websites across the Internet, as well as most websites hosted by the Wikimedia Foundation, including Wikipedia, Wiktionary, Wikimedia Commons, Wikiquote, Wikivoyage, Meta-Wiki and Wikidata, which define a large part of the set requirements for the software.
Founded 2002
Products
8
CVEs
193
Across products
4,764
Status
Private
Products
8- 4,739 CVEs
- 8 CVEs
- 6 CVEs
- 4 CVEs
- 4 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
193| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-8809 | Cri | 0.65 | 9.8 | 0.18 | Nov 15, 2017 | api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. | |
| CVE-2025-67484 | Cri | 0.64 | 9.8 | 0.00 | Feb 3, 2026 | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | |
| CVE-2014-9487 | Cri | 0.64 | 9.8 | 0.01 | Oct 17, 2017 | The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053. | |
| CVE-2015-8626 | Cri | 0.64 | 9.8 | 0.01 | Mar 23, 2017 | The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 generates passwords smaller than $wgMinimalPasswordLength, which makes it easier for remote attackers to obtain access via a brute-force attack. | |
| CVE-2025-67478 | Hig | 0.57 | 8.8 | 0.00 | Feb 3, 2026 | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. | |
| CVE-2015-8624 | Hig | 0.57 | 8.8 | 0.00 | Mar 23, 2017 | The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623. | |
| CVE-2015-8623 | Hig | 0.57 | 8.8 | 0.00 | Mar 23, 2017 | The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624. | |
| CVE-2026-34090 | Hig | 0.49 | 7.5 | 0.00 | May 11, 2026 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation CheckUser. This issue affects CheckUser: from 1.45.0 before 1.45.2. | |
| CVE-2026-34088 | Hig | 0.49 | 7.5 | 0.00 | May 11, 2026 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2. | |
| CVE-2017-8815 | Hig | 0.49 | 7.5 | 0.00 | Nov 15, 2017 | The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. | |
| CVE-2017-8814 | Hig | 0.49 | 7.5 | 0.01 | Nov 15, 2017 | The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." | |
| CVE-2017-8810 | Hig | 0.49 | 7.5 | 0.01 | Nov 15, 2017 | MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests. | |
| CVE-2012-4380 | Hig | 0.49 | 7.5 | 0.01 | Oct 19, 2017 | MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors. | |
| CVE-2016-6337 | Hig | 0.49 | 7.5 | 0.00 | Apr 20, 2017 | MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights. | |
| CVE-2016-6335 | Hig | 0.49 | 7.5 | 0.00 | Apr 20, 2017 | MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php. | |
| CVE-2015-8625 | Hig | 0.49 | 7.5 | 0.00 | Mar 23, 2017 | MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters. | |
| CVE-2025-67480 | Med | 0.42 | 6.5 | 0.00 | Feb 3, 2026 | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | |
| CVE-2012-4379 | Med | 0.42 | 6.5 | 0.00 | Oct 19, 2017 | MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element. | |
| CVE-2016-6336 | Med | 0.42 | 6.5 | 0.00 | Apr 20, 2017 | MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete. | |
| CVE-2026-39841 | Med | 0.40 | 6.1 | 0.00 | Apr 7, 2026 | Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7. |