CVE-2026-22711

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting XSS.The issue has been remediated on the master branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45...

CVE-2026-30917

Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed ...

CVE-2025-67477 Stored XSS through a system message in Special:ApiSandbox

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from before...

CVE-2025-6593

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0...

CVE-2025-6590 Complete content leak of private wikis due to PasswordReset Wikitext injection in error message

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from through 1.39.12, 1.42.76 1.43.1, 1.44.0...

CVE-2025-62659

The CVE-2025-62659 issue affects the MediaWiki CookieConsent extension for Cookie consent management. It is a Cross-Site Scripting (XSS) vulnerability caused by improper handling of reserved data attributes in the Sanitizer::validateAttributes() function, enabling arbitrary scripts to run in a us...

CVE-2025-62697 Improperly sanitized style parameter in LanguageSelector

Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' vulnerability in The Wikimedia Foundation Mediawiki - LanguageSelector Extension allows Code Injection.This issue affects Mediawiki - LanguageSelector Extension: from master before 1.39...

EUVD-2025-34962

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in The Wikimedia Foundation Mediawiki - UploadWizard Extension allows Stored XSS.This issue affects Mediawiki - UploadWizard Extension: from master before 1.39...

CVE-2025-62664 Stored XSS through a system message in ImageRating

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in The Wikimedia Foundation Mediawiki - ImageRating Extension allows Stored XSS.This issue affects Mediawiki - ImageRating Extension: from master before 1.39...

EUVD-2023-2825

Malicious code in bioql PyPI...

Wikimedia Mediawiki - SecurePoll extension 跨站请求伪造漏洞

Wikimedia Mediawiki - SecurePoll extension is a special page extension for elections, polls and surveys from the Wikimedia Foundation. A cross-site request forgery vulnerability exists in the Wikimedia Mediawiki - SecurePoll extension versions prior to 1.39.13, prior to 1.42.7, and prior to 1.43....

Vulnerabilities fixed in Microsoft Developer Tools

Microsoft has fixed vulnerabilities in several Developer Tools. A malicious person with access to the development environment can exploit the vulnerabilities to exploit attacks that could lead to the following categories of damage: Bypassing security measure. Remote code execution User rights...

Microsoft Media-Wiki Extensions 安全漏洞

Microsoft Media-Wiki Extensions is an extension from Microsoft Corporation USA. A security vulnerability exists in Microsoft Media-Wiki Extensions. An attacker could exploit the vulnerability to remotely execute code...

SUSE CVE-2015-2942

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service CPU and memory consumption via a large number of nested entity references in an 1 SVG file or 2 XMP metadata in a PDF file, aka a "billion laughs attack," ...

U.S. Dept Of Defense: Improper Access Control on Media Wiki allows an attackers to restart installation on DoD asset

An improper access control vulnerability was found on a MediaWiki website, allowing attackers to restart the installation process without authentication. The vulnerability was fixed by blocking all access to the mw-config folder...

UBUNTU-CVE-2021-41799

MediaWiki before 1.36.2 allows a denial of service resource consumption because of lengthy query processing time. ApiQueryBacklinks action=query&list=backlinks can cause a full table scan...

PT-2021-21128 · Mediawiki +2 · Mediawiki +2

Name of the Vulnerable Software and Affected Versions: MediaWiki versions through 1.36 Description: A cross-site scripting XSS issue was discovered in the SportsTeams extension. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields...

DEBIAN-CVE-2020-35479

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later...

UBUNTU-CVE-2020-29002

includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator...

PT-2020-16300 · Wikimedia +1 · Fileimporter Extension +2

Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.34.4 FileImporter extension for MediaWiki versions prior to 1.34.4 Description: An issue in the FileImporter extension allows an attacker to import a file into a protected page, bypassing "page creation"...