225 matches found
CVE-2026-14363
A flaw was found in the Mediawiki Cargo Extension. This vulnerability, identified as SQL Injection, allows an attacker to execute malicious SQL commands. By exploiting improper handling of special characters in SQL commands, an attacker can potentially access, modify, or delete sensitive data...
CVE-2026-58517
CVE-2026-58517 concerns the Wikimedia Foundation’s MediaWiki WikiLambda Extension, with an issue labeled as an improper neutralization of input terminators that enables an authentication bypass. Affected versions are WikiLambda Extension releases prior to 1.43.9, 1.44.6, and 1.45.4. The CVSS 4.0 ...
CVE-2026-55692
creationtimestamp| type| source ---|---|--- 2026-06-19 18:22:09+00:00| published-proof-of-concept| https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-5c7p-g73q-rpg5...
EUVD-2026-19976
Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting XSS.This issue affects non release branches...
CVE-2026-39937
Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the master branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1....
CVE-2026-30977
RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...
CVE-2026-30977
RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...
CVE-2026-30977
The CVE covers the MediaWiki extension RenderBlocking. Before version 0.1.1, a Stored XSS flaw existed in renderblocking-css when Inline Assets mode was used. Exploitation requires wgRenderBlockingInlineAssets = true and editsitecss user rights. The issue is fixed in 0.1.1. Affected component: re...
PT-2026-24343
Name of the Vulnerable Software and Affected Versions MediaWiki RenderBlocking versions prior to 0.1.1 Description The RenderBlocking extension for MediaWiki allows interface administrators to specify render-blocking CSS and JavaScript. Prior to version 0.1.1, a Stored Cross-Site Scripting XSS...
RenderBlocking 跨站脚本漏洞
RenderBlocking is a media wiki extension developed by Peter Li, designed to prevent page style changes from occurring intermittently. Versions of RenderBlocking prior to 0.1.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the renderblocking-css in the Inline Asse...
Bucket 跨站脚本漏洞
Bucket is a structured data storage extension for MediaWiki developed by Weird Gloop. Versions of Bucket prior to 2.1.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the PAGE type field containing stored cross-site scripts, which could allow malicious scripts to ...
EUVD-2026-10427
Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed ...
CVE-2026-30917 Stored XSS on Bucket namespace pages
Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed ...
EUVD-2025-206571
Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extensio...
CVE-2025-11175
CVE-2025-11175 concerns the MediaWiki DiscussionTools extension (version 1.44 and 1.43 affected) and is caused by improper neutralization of certain expression language elements, enabling a Regular Expression exponential blowup. Public entries from NVD, Debian security tracker, and related OSV en...
CVE-2026-0671
Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting XSS.This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39...
CVE-2023-45373
An issue was discovered in the ProofreadPage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. XSS can occur via formatNumNoSeparators...
CVE-2026-22712
Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39...
CVE-2026-0669 Path Traversal vulnerability in CSS extension on certain web servers
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Wikimedia Foundation MediaWiki - CSS extension allows Path Traversal.This issue affects MediaWiki - CSS extension: 1.44, 1.43, 1.39...
CVE-2025-67646
TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a wiki with the...