VYPR

Vendor CVEs

Wikimedia Foundation

All CVEs

245 total · sorted by risk
  • CVE-2024-47848MedOct 5, 2024
    risk 0.45cvss epss 0.01

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - PageTriage allows Authentication Bypass.This issue affects Mediawiki - PageTriage: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

  • CVE-2026-34092HigMay 11, 2026
    risk 0.42cvss 7.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Skin/Skin.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

  • CVE-2025-67480MedFeb 3, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

  • CVE-2025-53502MedJul 3, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X.

  • CVE-2025-32079MedApr 11, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.This issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43.

  • CVE-2025-23078MedJan 10, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Breadcrumbs2 extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Breadcrumbs2 extension: from 1.39.X before…

  • CVE-2023-45359MedOct 9, 2024
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but should be, because the line param can have markup.

  • CVE-2012-4379MedOct 19, 2017
    risk 0.42cvss 6.5epss 0.01

    MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.

  • CVE-2025-7056MedJul 7, 2025
    risk 0.41cvss 6.3epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - UrlShortener Extension allows Stored XSS.This issue affects Mediawiki - UrlShortener Extension: from 1.42.X before 1.42.7, from 1.43.X…

  • CVE-2026-39841MedApr 7, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

  • CVE-2026-39839MedApr 7, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

  • CVE-2025-67483MedFeb 3, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before…

  • CVE-2025-67481MedFeb 3, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects…

  • CVE-2025-67477MedFeb 3, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects…

  • CVE-2025-67475MedFeb 3, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from *…

  • CVE-2025-61656MedFeb 3, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js. This issue affects VisualEditor: from * before…

  • CVE-2025-61655MedFeb 3, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArtic…

  • CVE-2025-53488MedJul 7, 2025
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - WikiHiero Extension allows Stored XSS.This issue affects Mediawiki - WikiHiero Extension: from 1.43.X before 1.43.2.

  • CVE-2025-53482MedJul 4, 2025
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - IPInfo Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - IPInfo Extension: from 1.39.X before 1.39.13, from…

  • CVE-2025-23081MedJan 14, 2025
    risk 0.40cvss 6.1epss 0.00

    Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue…

  • CVE-2025-23079MedJan 10, 2025
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - ArticleFeedbackv5 extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - ArticleFeedbackv5 extension: from 1.42.X…

  • CVE-2023-45361MedOct 9, 2024
    risk 0.40cvss 6.1epss 0.00

    An issue was discovered in VectorComponentUserLinks.php in the Vector Skin component in MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-intro-page MalformedTitleException is uncaught if it is not a valid title, leading to incorrect web pages.

  • CVE-2017-0363MedApr 13, 2018
    risk 0.40cvss 6.1epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites.

  • CVE-2012-4377MedOct 26, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image.

  • CVE-2016-6334MedApr 20, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding…

  • CVE-2016-6333MedApr 20, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css.

  • CVE-2015-8622MedMar 23, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as…

  • CVE-2025-62657MedOct 20, 2025
    risk 0.38cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki PageForms extension allows Stored XSS.This issue affects MediaWiki PageForms extension: 1.44.

  • CVE-2025-62656MedOct 20, 2025
    risk 0.38cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki GlobalBlocking extension allows Stored XSS.This issue affects MediaWiki GlobalBlocking extension: 1.43, 1.44.

  • CVE-2025-62652MedOct 17, 2025
    risk 0.38cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki WebAuthn extension allows Stored XSS.This issue affects MediaWiki WebAuthn extension: 1.39, 1.43, 1.44.

  • CVE-2025-53479MedJul 8, 2025
    risk 0.35cvss 5.4epss 0.00

    The CheckUser extension’s Special:CheckUser interface is vulnerable to reflected XSS via the rev-deleted-user message. This message is rendered without proper escaping, making it possible to inject JavaScript through the uselang=x-xss language override mechanism. This…

  • CVE-2025-53480MedJul 8, 2025
    risk 0.35cvss 5.4epss 0.00

    The CheckUser extension’s Special:Investigate page has a vulnerability in the Account information tab, where specific internationalized messages are rendered without proper escaping. Attackers can exploit this by appending ?uselang=x-xss to the URL, causing reflected XSS when…

  • CVE-2025-53496MedJul 7, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MediaSearch Extension allows Stored XSS.This issue affects Mediawiki - MediaSearch Extension: from 1.42.X before 1.42.7, from 1.43.X…

  • CVE-2025-53497MedJul 7, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RelatedArticles Extension allows Stored XSS.This issue affects Mediawiki - RelatedArticles Extension: from 1.43.X before 1.43.2.

  • CVE-2025-53491MedJul 7, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - FlaggedRevs Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FlaggedRevs Extension: from 1.43.X before 1.43.2.

  • CVE-2025-7057MedJul 7, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Quiz Extension allows Stored XSS.This issue affects Mediawiki - Quiz Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7,…

  • CVE-2025-53487MedJul 7, 2025
    risk 0.35cvss 5.4epss 0.00

    The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes…

  • CVE-2025-53486MedJul 7, 2025
    risk 0.35cvss 5.4epss 0.00

    The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the…

  • CVE-2025-32074MedApr 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43.

  • CVE-2025-32073MedApr 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).This issue affects Mediawiki - HTML Tags: from 1.39 through 1.43.

  • CVE-2025-32071MedApr 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS) from widthheight message via ImageHandler::getDimensionsString()This issue affects Mediawiki - Wikidata Extension: from 1.39 through 1.43.

  • CVE-2025-32070MedApr 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - AJAX Poll Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - AJAX Poll Extension: from 1.39 through 1.43.

  • CVE-2025-32069MedApr 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Media Info Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Media Info Extension: from 1.39 through 1.43.

  • CVE-2025-32068MedApr 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Incorrect Authorization vulnerability in The Wikimedia Foundation Mediawiki - OAuth Extension allows Authentication Bypass.This issue affects Mediawiki - OAuth Extension: from 1.39 through 1.43.

  • CVE-2025-32067MedApr 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Growth Experiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Growth Experiments Extension: from 1.39 through 1.43.

  • CVE-2025-23072MedJan 14, 2025
    risk 0.35cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RefreshSpecial Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - RefreshSpecial Extension: from 1.39.X before…

  • CVE-2017-0370MedApr 13, 2018
    risk 0.35cvss 5.3epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam blacklist is ineffective on encoded URLs inside file inclusion syntax's link parameter.

  • CVE-2017-0366MedApr 13, 2018
    risk 0.35cvss 5.4epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration.

  • CVE-2015-8627MedMar 23, 2017
    risk 0.35cvss 5.3epss 0.01

    MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not…

  • CVE-2026-5762MedApr 7, 2026
    risk 0.34cvss epss 0.00

    Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS. This issue was remediated only on the `master` branch.

Page 2 of 5