CVE-2026-34086 AbuseFilter misuses ::userCanBitfield, exposing access-controlled information

Vulnerability in Wikimedia Foundation AbuseFilter. This issue affects AbuseFilter: from before 1.43.7, 1.44.4, 1.45.2...

Wikimedia Scribunto 跨站脚本漏洞

Wikimedia Scribunto is a scripting development tool provided by the Wikimedia Foundation. Versions of Wikimedia Scribunto from 1.45.0 to 1.45.2 had a cross-site scripting vulnerability. This vulnerability was caused by a memory leak, resulting in insufficient memory for the runJobs.php script...

Wikimedia OATHAuth 信息泄露漏洞

Wikimedia OATHAuth is a dual authentication extension developed by the Wikimedia Foundation. Versions of Wikimedia OATHAuth prior to 1.43.7, as well as 1.44.4 and 1.45.2, contained a vulnerability that led to the exposure of sensitive information to unauthorized attackers...

Wikimedia Echo 信息泄露漏洞

Wikimedia Echo is a messaging extension provided by the Wikimedia Foundation that offers features for sending notifications within the site and reminding users. Wikimedia Echo has a vulnerability related to information leakage, which stems from the exposure of sensitive information in the program...

Wikimedia CheckUser 信息泄露漏洞

Wikimedia CheckUser is a advanced investigation tool of the Wikimedia Foundation designed to combat disruptive behavior. Versions of Wikimedia CheckUser from 1.45.0 to 1.45.2 contained a vulnerability related to information leakage, which resulted in sensitive information being exposed to...

Wikimedia AbuseFilter 输入验证错误漏洞

Wikimedia AbuseFilter is an editing filter tool developed by the Wikimedia Foundation, designed to automatically filter and block suspicious edits, account creation, and other disruptive activities based on custom rules. Versions of Wikimedia AbuseFilter prior to 1.43.7, as well as versions 1.44....

EUVD-2026-19980

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in The Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting XSS.This issue affects Mediawiki - CampaignEvents Extension: 1.43.7, 1.44.4, 1.45.2...

CVE-2026-39937

Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the master branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1....

CVE-2026-39933

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting XSS. The issue has been remediated on the master branch, and in the release branches for MediaWiki version...

CVE-2026-39933 Multiple XSS vulnerabilities in GlobalWatchlist

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting XSS. The issue has been remediated on the master branch, and in the release branches for MediaWiki version...

EUVD-2026-19889

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.This issue affects...

EUVD-2026-19851

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting XSS.This issue affects Mediawiki - Wikilove Extension: 1.43.7, 1.44.4, 1.45.2...

CVE-2026-39839

Improper neutralization of Script-Related HTML tags in a web page basic XSS vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7...

CVE-2026-5762

CVE-2026-5762 affects the Wikimedia Foundation MediaWiki ReportIncident Extension versions 1.43.7, 1.44.4, and 1.45.2. The root cause is allocation of resources without limits or throttling, enabling HTTP DoS and causing potential resource exhaustion (impact on availability). The document provide...

PT-2026-30974

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting XSS.This issue affects Mediawiki - Wikilove Extension: 1.43.7, 1.44.4, 1.45.2...

PT-2026-33204

Name of the Vulnerable Software and Affected Versions Wikimedia Foundation CheckUser versions 1.45.0 through 1.45.1 Description An issue exists that allows the exposure of sensitive information to an unauthorized actor. Recommendations Update to version 1.45.2...

PT-2026-33200

Name of the Vulnerable Software and Affected Versions AbuseFilter versions prior to 1.43.7 AbuseFilter versions prior to 1.44.4 AbuseFilter versions prior to 1.45.2 Description A security issue exists in the Wikimedia Foundation AbuseFilter. Recommendations Update to version 1.43.7 or later. Upda...

PT-2026-33201

Name of the Vulnerable Software and Affected Versions OATHAuth versions prior to 1.43.7 OATHAuth versions prior to 1.44.4 OATHAuth versions prior to 1.45.2 Description An issue in Wikimedia Foundation OATHAuth allows the exposure of sensitive information to an unauthorized actor. Recommendations...

CVE-2025-67482

Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from before...

CVE-2025-61650

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from before...