VYPR

Vendor CVEs

Miraheze

All CVEs

22 total · sorted by risk
  • CVE-2020-5302HigApr 7, 2020
    risk 0.53cvss 8.2epss 0.01

    MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to see if they were logged in. The issue…

  • CVE-2025-53371CriJul 10, 2025
    risk 0.52cvss 9.1epss 0.00

    DiscordNotifications is an extension for MediaWiki that sends notifications of actions in your Wiki to a Discord channel. DiscordNotifications allows sending requests via curl and file_get_contents to arbitrary URLs set via $wgDiscordIncomingWebhookUrl and…

  • CVE-2024-47816MedOct 9, 2024
    risk 0.35cvss 6.4epss 0.00

    ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the…

  • CVE-2024-47815MedOct 9, 2024
    risk 0.32cvss 6.0epss 0.00

    IncidentReporting is a MediaWiki extension for moving incident reports from wikitext to database tables. There are a variety of Cross-site Scripting issues, though all of them require elevated permissions. Some are available to anyone who has the `editincidents` right, some are…

  • CVE-2024-47812MedOct 9, 2024
    risk 0.32cvss 6.0epss 0.00

    ImportDump is an extension for mediawiki designed to automate user import requests. Anyone who can edit the interface strings of a wiki (typically administrators and interface admins) can embed XSS payloads in the messages for dates, and thus XSS anyone who views…

  • CVE-2024-29883MedMar 26, 2024
    risk 0.32cvss 4.9epss 0.01

    CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may…

  • CVE-2024-34701MedMay 14, 2024
    risk 0.31cvss 5.9epss 0.01

    CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki…

  • CVE-2024-29897MedMar 28, 2024
    risk 0.25cvss 4.9epss 0.01

    CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where…

  • CVE-2024-47612LowOct 2, 2024
    risk 0.16cvss 3.5epss 0.00

    DataDump is a MediaWiki extension that provides dumps of wikis. Several interface messages are unescaped (more specifically, (datadump-table-column-queued), (datadump-table-column-in-progress), (datadump-table-column-completed), (datadump-table-column-failed)). If these messages…

  • CVE-2025-43861MedApr 24, 2025
    risk 0.00cvss 4.4epss 0.00

    ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the…

  • CVE-2025-32964MedApr 22, 2025
    risk 0.00cvss 4.6epss 0.00

    ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched…

  • CVE-2025-32956HigApr 21, 2025
    risk 0.00cvss 8.0epss 0.01

    ManageWiki is a MediaWiki extension allowing users to manage wikis. Versions before commit f504ed8, are vulnerable to SQL injection when renaming a namespace in Special:ManageWiki/namespaces when using a page prefix (namespace name, which is the current namespace you are…

  • CVE-2024-47782HigOct 7, 2024
    risk 0.00cvss 7.6epss 0.00

    WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page does not make any effort to escape the wiki name or description. Therefore, if a…

  • CVE-2024-47781MedOct 7, 2024
    risk 0.00cvss 6.1epss 0.00

    CreateWiki is an extension used at Miraheze for requesting & creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes…

  • CVE-2024-29898MedMar 28, 2024
    risk 0.00cvss 4.9epss 0.01

    CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the…

  • CVE-2024-25109MedFeb 9, 2024
    risk 0.00cvss 6.5epss 0.00

    ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the `columns` and `help` keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting…

  • CVE-2024-25107MedFeb 8, 2024
    risk 0.00cvss 4.9epss 0.00

    WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages…

  • CVE-2022-24813MedApr 4, 2022
    risk 0.00cvss 5.3epss 0.01

    CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki's…

  • CVE-2021-39186MedSep 1, 2021
    risk 0.00cvss 4.3epss 0.01

    GlobalNewFiles is a MediaWiki extension maintained by Miraheze. Prior to commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, the username column of the GlobalNewFiles special page is vulnerable to a stored XSS. Commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d contains…

  • CVE-2021-32774MedJul 20, 2021
    risk 0.00cvss 6.1epss 0.00

    DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit…

  • CVE-2021-32722MedJun 28, 2021
    risk 0.00cvss 6.5epss 0.01

    GlobalNewFiles is a mediawiki extension. Versions prior to 48be7adb70568e20e961ea1cb70904454a671b1d are affected by an uncontrolled resource consumption vulnerability. A large amount of page moves within a short space of time could overwhelm Database servers due to improper…

  • CVE-2021-29483CriApr 28, 2021
    risk 0.00cvss 9.4epss 0.01

    ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patc…