VYPR

Vendor CVEs

Wikimedia Foundation

All CVEs

245 total · sorted by risk
  • CVE-2025-12004CriOct 21, 2025
    risk 0.65cvss epss 0.00

    Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.

  • CVE-2025-67484CriFeb 3, 2026
    risk 0.64cvss 9.8epss 0.00

    Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

  • CVE-2025-53484CriJul 4, 2025
    risk 0.64cvss 9.8epss 0.00

    User-controlled inputs are improperly escaped in: * VotePage.php (poll option input) * ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names) This allows attackers to inject JavaScript and compromise user sessions under certain…

  • CVE-2015-8009CriJul 25, 2017
    risk 0.64cvss 9.8epss 0.03

    The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another…

  • CVE-2025-53499CriJul 7, 2025
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2.

  • CVE-2025-53495CriJul 7, 2025
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2.

  • CVE-2026-39937HigApr 7, 2026
    risk 0.57cvss epss 0.00

    Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki…

  • CVE-2025-11175HigJan 30, 2026
    risk 0.57cvss epss 0.00

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki -…

  • CVE-2025-62697HigOct 20, 2025
    risk 0.57cvss epss 0.00

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in The Wikimedia Foundation Mediawiki - LanguageSelector Extension allows Code Injection.This issue affects Mediawiki - LanguageSelector Extension: from master before…

  • CVE-2025-6926HigJul 3, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

  • CVE-2017-0362HigApr 13, 2018
    risk 0.57cvss 8.8epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.

  • CVE-2015-8624HigMar 23, 2017
    risk 0.57cvss 8.8epss 0.01

    The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows…

  • CVE-2017-0361HigApr 13, 2018
    risk 0.51cvss 7.8epss 0.00

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.

  • CVE-2026-34087HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2.

  • CVE-2025-62658HigOct 20, 2025
    risk 0.49cvss epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki WatchAnalytics extension allows SQL Injection.This issue affects MediaWiki WatchAnalytics extension: 1.43, 1.44.

  • CVE-2025-53485HigJul 4, 2025
    risk 0.49cvss 7.5epss 0.00

    SetTranslationHandler.php does not validate that the user is an election admin, allowing any (even unauthenticated) user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing. This issue affects Mediawiki…

  • CVE-2025-53481HigJul 4, 2025
    risk 0.49cvss 7.5epss 0.00

    Uncontrolled Resource Consumption vulnerability in Wikimedia Foundation Mediawiki - IPInfo Extension allows Excessive Allocation.This issue affects Mediawiki - IPInfo Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

  • CVE-2015-8008HigDec 29, 2017
    risk 0.49cvss 7.5epss 0.03

    The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.

  • CVE-2016-6337HigApr 20, 2017
    risk 0.49cvss 7.5epss 0.01

    MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights.

  • CVE-2026-39936MedApr 7, 2026
    risk 0.45cvss epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for…

  • CVE-2026-39935MedApr 7, 2026
    risk 0.45cvss epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS). This issue was remediated only on the `master` branch.

  • CVE-2026-39934MedApr 7, 2026
    risk 0.45cvss epss 0.00

    Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue was remediated only on the `master` branch.

  • CVE-2026-39933MedApr 7, 2026
    risk 0.45cvss epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release…

  • CVE-2026-39838MedApr 7, 2026
    risk 0.45cvss epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements. The issue has been remediated on the `master` branch, and in the release…

  • CVE-2026-22711MedApr 7, 2026
    risk 0.45cvss epss 0.00

    Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and…

  • CVE-2025-62661MedOct 21, 2025
    risk 0.45cvss epss 0.00

    Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mediawiki - Thanks Extension, Mediawiki - Growth…

  • CVE-2025-62702MedOct 21, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - PageTriage Extension allows Stored XSS.This issue affects Mediawiki - PageTriage Extension: from master before 1.44.

  • CVE-2025-62701MedOct 21, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.

  • CVE-2025-62694MedOct 21, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - WikiLove Extension allows Stored XSS.This issue affects Mediawiki - WikiLove Extension: 1.39.

  • CVE-2025-62699MedOct 21, 2025
    risk 0.45cvss epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - Translate Extension allows Footprinting. Translate extension appears to use jobs to make edits to translation pages. This causes the CheckUser tool to log the wrong…

  • CVE-2025-62696MedOct 21, 2025
    risk 0.45cvss epss 0.01

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in The Wikimedia Foundation Mediawiki Foundation - Springboard Extension allows Command Injection.This issue affects Mediawiki Foundation - Springboard Extension: master.

  • CVE-2025-62695MedOct 21, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Stored XSS.This issue affects Mediawiki - WikiLambda Extension: master.

  • CVE-2025-62700MedOct 20, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - MultiBoilerplate Extensionmaste allows Stored XSS.This issue affects Mediawiki - MultiBoilerplate Extensionmaste: from master before…

  • CVE-2025-62698MedOct 20, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ExternalGuidance allows Stored XSS.This issue affects Mediawiki - ExternalGuidance: from master before 1.39.

  • CVE-2025-62693MedOct 20, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - LastModified Extension allows Stored XSS.This issue affects Mediawiki - LastModified Extension: from master before 1.39.

  • CVE-2025-11937MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - SecurePoll Extension allows Stored XSS.This issue affects Mediawiki - SecurePoll Extension: master.

  • CVE-2025-62670MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - FlexDiagrams Extension allows Stored XSS.This issue affects Mediawiki - FlexDiagrams Extension: master.

  • CVE-2025-62669MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects Mediawiki - CentralAuth Extension: from master before 1.39.

  • CVE-2025-62668MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.

  • CVE-2025-62667MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Stored XSS.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.

  • CVE-2025-62666MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Allocation of Resources Without Limits or Throttling vulnerability in The Wikimedia Foundation Mediawiki - CirrusSearch Extension allows HTTP DoS.This issue affects Mediawiki - CirrusSearch Extension: from master before 1.43.

  • CVE-2025-62664MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ImageRating Extension allows Stored XSS.This issue affects Mediawiki - ImageRating Extension: from master before 1.39.

  • CVE-2025-62663MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - UploadWizard Extension allows Stored XSS.This issue affects Mediawiki - UploadWizard Extension: from master before 1.39.

  • CVE-2025-62662MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - AdvancedSearch Extension allows Stored XSS.This issue affects Mediawiki - AdvancedSearch Extension: from master before 1.39.

  • CVE-2025-62665MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Skin:BlueSky allows Stored XSS.This issue affects Mediawiki - Skin:BlueSky: from master before 1.39.

  • CVE-2025-32080MedApr 11, 2025
    risk 0.45cvss epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - Mobile Frontend Extension allows Shared Resource Manipulation.This issue affects Mediawiki - Mobile Frontend Extension: from 1.39 through 1.43.

  • CVE-2025-32078MedApr 11, 2025
    risk 0.45cvss epss 0.00

    Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43.

  • CVE-2025-32077MedApr 11, 2025
    risk 0.45cvss epss 0.00

    Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Extension:SimpleCalendar allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Extension:SimpleCalendar: from 1.39 through 1.43.

  • CVE-2025-32076MedApr 11, 2025
    risk 0.45cvss epss 0.00

    Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Visual Data Extension allows HTTP DoS.This issue affects Mediawiki - Visual Data Extension: from 1.39 through 1.43.

  • CVE-2025-32075MedApr 11, 2025
    risk 0.45cvss epss 0.00

    Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Tabs Extension allows Code Injection.This issue affects Mediawiki - Tabs Extension: from 1.39 through 1.43.

Page 1 of 5