CVE-2025-23072 XSS in Special:RefreshSpecial

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation Mediawiki - RefreshSpecial Extension allows Cross-Site Scripting XSS.This issue affects Mediawiki - RefreshSpecial Extension: from 1.39.X before 1.39.11, from 1.41.X...

CVE-2025-23072

CVE-2025-23072 is a Cross-Site Scripting (XSS) vulnerability in the Wikimedia Foundation MediaWiki RefreshSpecial extension. Affected versions are: 1.39.X before 1.39.11, 1.41.X before 1.41.3, and 1.42.X before 1.42.2, where input is improperly neutralized during page generation. This vulnerabili...

CVE-2025-23081 Various security vulnerabilities in Extension:DataTransfer

Cross-Site Request Forgery CSRF, Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting XSS.This issue affects Mediawiki - DataTransf...

CVE-2025-23080 XSSes in Special:BadgeView

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation Mediawiki - OpenBadges Extension allows Cross-Site Scripting XSS.This issue affects Mediawiki - OpenBadges Extension: from 1.39.X before 1.39.11, from 1.41.X before...

CVE-2025-23080 XSSes in Special:BadgeView

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation Mediawiki - OpenBadges Extension allows Cross-Site Scripting XSS.This issue affects Mediawiki - OpenBadges Extension: from 1.39.X before 1.39.11, from 1.41.X before...

CVE-2025-23080

CVE-2025-23080 affects the Wikimedia Foundation’s Mediawiki OpenBadges Extension. The issue is an XSS risk caused by improper neutralization of input during web page generation . Affected versions are: 1.39.x before 1.39.11; 1.41.x before 1.41.3; and 1.42.x before 1.42.2. The primary root cause i...

CVE-2025-23079

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation Mediawiki - ArticleFeedbackv5 extension allows Cross-Site Scripting XSS.This issue affects Mediawiki - ArticleFeedbackv5 extension: from 1.42.X before 1.42.2...

CVE-2025-23078 XSS in BreadCrumbs2

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation Mediawiki - Breadcrumbs2 extension allows Cross-Site Scripting XSS.This issue affects Mediawiki - Breadcrumbs2 extension: from 1.39.X before 1.39.11, from 1.41.X before...

Mediawiki Cargo extension vulnerable to Cross-site Scripting

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting XSS.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1...

CVE-2024-47846

Cross-Site Request Forgery CSRF vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1...

CVE-2024-47840

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in The Wikimedia Foundation Mediawiki - Apex skin allows Stored XSS.This issue affects Mediawiki - Apex skin: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2...

CVE-2024-47846

Cross-Site Request Forgery CSRF vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1...

CVE-2024-47849

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1...

CVE-2024-47845

Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2...

CVE-2024-47841

The CVE-2024-47841 affects MediaWiki - CSS Extension. The vulnerability is a Path Traversal flaw in loading stylesheets, enabling improper restriction of pathnames to restricted directories. Affected versions are MediaWiki CSS Extension: 1.39.X up to before 1.39.9; 1.41.X up to before 1.41.3; 1.4...

CVE-2024-47841 Path traversal when loading stylesheets

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Path Traversal.This issue affects Mediawiki - CSS Extension: from 1.42.X before 1.42.2, from 1.41.X before 1.41.3, from 1.39.X before 1.39.9...

CVE-2024-47840 Stored XSS through sidebar in Apex skin

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in The Wikimedia Foundation Mediawiki - Apex skin allows Stored XSS.This issue affects Mediawiki - Apex skin: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2...

CVE-2024-47840

CVE-2024-47840: A stored XSS vulnerability in the MediaWiki Apex skin exposes stored scripts via the sidebar. Affected versions are MediaWiki Apex skin 1.39.x before 1.39.9, 1.41.x before 1.41.3, and 1.42.x before 1.42.2. The issue is caused by improper neutralization of input during web page gen...

CVE-2024-47847 Various XSSes found in Cargo

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting XSS.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1...

CVE-2024-47846 Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection

Cross-Site Request Forgery CSRF vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1...