VYPR

Vendor CVEs

MediaWiki

All CVEs

381 total · sorted by risk
  • CVE-2017-0363MedApr 13, 2018
    risk 0.40cvss 6.1epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites.

  • CVE-2017-8811MedNov 15, 2017
    risk 0.40cvss 6.1epss 0.01

    The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks.

  • CVE-2017-8808MedNov 15, 2017
    risk 0.40cvss 6.1epss 0.01

    MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping.

  • CVE-2012-4378MedOct 26, 2017
    risk 0.40cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php.

  • CVE-2012-4377MedOct 26, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image.

  • CVE-2016-6334MedApr 20, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding…

  • CVE-2016-6333MedApr 20, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css.

  • CVE-2015-8622MedMar 23, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as…

  • CVE-2026-39837MedApr 7, 2026
    risk 0.35cvss 5.4epss 0.00

    Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

  • CVE-2025-7363MedJul 8, 2025
    risk 0.35cvss 5.4epss 0.00

    The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an HtmlArmor object without sanitization and rendered directly into the page header, allowing attackers to inject…

  • CVE-2025-7362MedJul 8, 2025
    risk 0.35cvss 5.4epss 0.00

    The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. The vulnerability occurs in the file upload UI when the same filename is uploaded twice. This issue affects…

  • CVE-2025-53479MedJul 8, 2025
    risk 0.35cvss 5.4epss 0.00

    The CheckUser extension’s Special:CheckUser interface is vulnerable to reflected XSS via the rev-deleted-user message. This message is rendered without proper escaping, making it possible to inject JavaScript through the uselang=x-xss language override mechanism. This…

  • CVE-2025-53480MedJul 8, 2025
    risk 0.35cvss 5.4epss 0.00

    The CheckUser extension’s Special:Investigate page has a vulnerability in the Account information tab, where specific internationalized messages are rendered without proper escaping. Attackers can exploit this by appending ?uselang=x-xss to the URL, causing reflected XSS when…

  • CVE-2025-53478MedJul 7, 2025
    risk 0.35cvss 5.4epss 0.00

    The CheckUser extension’s Special:Investigate interface is vulnerable to reflected XSS due to improper escaping of certain internationalized system messages rendered on the “IPs and User agents” tab. This issue affects Mediawiki - CheckUser extension: from 1.39.X…

  • CVE-2025-53487MedJul 7, 2025
    risk 0.35cvss 5.4epss 0.00

    The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes…

  • CVE-2025-53486MedJul 7, 2025
    risk 0.35cvss 5.4epss 0.00

    The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the…

  • CVE-2018-13258MedOct 4, 2018
    risk 0.35cvss 5.3epss 0.02

    Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web accessible.

  • CVE-2014-1686MedApr 16, 2018
    risk 0.35cvss 5.3epss 0.02

    MediaWiki 1.18.0 allows remote attackers to obtain the installation path via vectors related to thumbnail creation.

  • CVE-2017-0370MedApr 13, 2018
    risk 0.35cvss 5.3epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam blacklist is ineffective on encoded URLs inside file inclusion syntax's link parameter.

  • CVE-2017-0368MedApr 13, 2018
    risk 0.35cvss 5.3epss 0.02

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages.

  • CVE-2017-0366MedApr 13, 2018
    risk 0.35cvss 5.4epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration.

  • CVE-2017-8812MedNov 15, 2017
    risk 0.35cvss 5.3epss 0.02

    MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline.

  • CVE-2015-8628MedMar 23, 2017
    risk 0.35cvss 5.3epss 0.01

    The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 allow remote attackers to obtain sensitive user…

  • CVE-2015-8627MedMar 23, 2017
    risk 0.35cvss 5.3epss 0.01

    MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not…

  • CVE-2019-16738MedSep 26, 2019
    risk 0.34cvss 5.3epss 0.02

    In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.

  • CVE-2012-4382MedOct 19, 2017
    risk 0.32cvss 4.9epss 0.01

    MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt.

  • CVE-2017-0365MedApr 13, 2018
    risk 0.31cvss 4.7epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations.

  • CVE-2025-67476MedFeb 3, 2026
    risk 0.28cvss 4.3epss 0.00

    Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

  • CVE-2025-61658MedFeb 3, 2026
    risk 0.28cvss 4.3epss 0.00

    Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php. This issue affects CheckUser: from * before 1.43.4, 1.44.1.

  • CVE-2018-0503MedOct 4, 2018
    risk 0.28cvss 4.3epss 0.02

    Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'.

  • CVE-2026-34093MedMay 11, 2026
    risk 0.27cvss 5.3epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

  • CVE-2025-62655LowOct 17, 2025
    risk 0.14cvss epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki Cargo extension allows SQL Injection.This issue affects MediaWiki Cargo extension: 1.39, 1.43, 1.44.

  • CVE-2025-67482LowFeb 3, 2026
    risk 0.11cvss epss 0.00

    Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1;…

  • CVE-2025-61650LowFeb 3, 2026
    risk 0.07cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from *…

  • CVE-2025-61649LowFeb 3, 2026
    risk 0.07cvss epss 0.00

    Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from 7cedd58781d261f110651b6af4f41d2d11ae7309.

  • CVE-2014-1610Jan 30, 2014
    risk 0.06cvss epss 0.43

    MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w…

  • CVE-2025-61647LowFeb 3, 2026
    risk 0.03cvss epss 0.00

    Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php. This issue affects CheckUser: from a3dc1bbcc33acbcca6831d6afaccbb1054c93a57, 0584eb2ad564648aa3ce9c555dd044dda02b55f4.

  • CVE-2007-0177Jan 11, 2007
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9 before 1.9.0rc2, when wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2023-24612Jan 30, 2023
    risk 0.01cvss epss 0.01

    The PdfBook extension through 2.0.5 before b07b6a64 for MediaWiki allows command injection via an option.

  • CVE-2008-0460Jan 25, 2008
    risk 0.01cvss epss 0.15

    Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through 1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and earlier; when Internet Explorer is used, allows remote attackers to inject arbitrary…

  • CVE-2025-53501Jul 3, 2025
    risk 0.00cvss epss 0.00

    Improper Access Control vulnerability in Wikimedia Foundation Mediawiki - Scribunto Extension allows : Accessing Functionality Not Properly Constrained by Authorization.This issue affects Mediawiki - Scribunto Extension: from 1.39.X before 1.39.12, from 1.42.X before 1.42.7,…

  • CVE-2025-43861Apr 24, 2025
    risk 0.00cvss epss 0.00

    ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the…

  • CVE-2025-32964Apr 22, 2025
    risk 0.00cvss epss 0.00

    ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched…

  • CVE-2024-47846Oct 5, 2024
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.

  • CVE-2024-47849Oct 5, 2024
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.

  • CVE-2024-40598Jul 6, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log events. (The log_deleted attribute is not applied to entries.)

  • CVE-2024-40605Jul 6, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

  • CVE-2024-40602Jul 6, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in the Tempo skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

  • CVE-2024-40603Jul 6, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter data via a GET request.

  • CVE-2024-40601Jul 6, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules.

Page 2 of 8