VYPR
Vendor

Wikimedia Foundation

The Wikimedia Foundation, Inc. (WMF) is an American 501(c)(3) nonprofit organization headquartered in San Francisco, California, and registered there as a charitable foundation. The foundation is most known for being the host of Wikipedia, one of the most visited websites in the world. It also hosts fourteen related open collaboration projects, and supports the development of MediaWiki, the wiki software which underpins them all. The foundation was established in 2003 in St.

Founded 2003
Products
100
CVEs
245
Across products
200
Status
Private

Products

100
View all 100 products →

Recent CVEs

245
View all 245 CVEs →
  • CVE-2025-12004CriOct 21, 2025
    risk 0.65cvss epss 0.00

    Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.

  • CVE-2025-67484CriFeb 3, 2026
    risk 0.64cvss 9.8epss 0.00

    Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

  • CVE-2025-53484CriJul 4, 2025
    risk 0.64cvss 9.8epss 0.00

    User-controlled inputs are improperly escaped in: * VotePage.php (poll option input) * ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names) This allows attackers to inject JavaScript and compromise user sessions under certain…

  • CVE-2015-8009CriJul 25, 2017
    risk 0.64cvss 9.8epss 0.03

    The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another…

  • CVE-2025-53499CriJul 7, 2025
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2.

  • CVE-2025-53495CriJul 7, 2025
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2.

  • CVE-2026-39937HigApr 7, 2026
    risk 0.57cvss epss 0.00

    Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki…

  • CVE-2025-11175HigJan 30, 2026
    risk 0.57cvss epss 0.00

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki -…

  • CVE-2025-62697HigOct 20, 2025
    risk 0.57cvss epss 0.00

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in The Wikimedia Foundation Mediawiki - LanguageSelector Extension allows Code Injection.This issue affects Mediawiki - LanguageSelector Extension: from master before…

  • CVE-2025-6926HigJul 3, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

  • CVE-2017-0362HigApr 13, 2018
    risk 0.57cvss 8.8epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.

  • CVE-2015-8624HigMar 23, 2017
    risk 0.57cvss 8.8epss 0.01

    The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows…

  • CVE-2017-0361HigApr 13, 2018
    risk 0.51cvss 7.8epss 0.00

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.

  • CVE-2026-34087HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2.

  • CVE-2025-62658HigOct 20, 2025
    risk 0.49cvss epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki WatchAnalytics extension allows SQL Injection.This issue affects MediaWiki WatchAnalytics extension: 1.43, 1.44.

  • CVE-2025-53485HigJul 4, 2025
    risk 0.49cvss 7.5epss 0.00

    SetTranslationHandler.php does not validate that the user is an election admin, allowing any (even unauthenticated) user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing. This issue affects Mediawiki…

  • CVE-2025-53481HigJul 4, 2025
    risk 0.49cvss 7.5epss 0.00

    Uncontrolled Resource Consumption vulnerability in Wikimedia Foundation Mediawiki - IPInfo Extension allows Excessive Allocation.This issue affects Mediawiki - IPInfo Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

  • CVE-2015-8008HigDec 29, 2017
    risk 0.49cvss 7.5epss 0.03

    The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.

  • CVE-2016-6337HigApr 20, 2017
    risk 0.49cvss 7.5epss 0.01

    MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights.

  • CVE-2026-39936MedApr 7, 2026
    risk 0.45cvss epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for…