CVE-2025-53478 CheckUser: Reflected Cross-Site Scripting (XSS) in Special:Investigate via unsanitized i18n messages

The CheckUser extension’s Special:Investigate interface is vulnerable to reflected XSS due to improper escaping of certain internationalized system messages rendered on the “IPs and User agents” tab. This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X befor...

CVE-2022-28204

A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere⌖=Property%3AP31=1=1 can take more than thirty seconds. There is a DDoS risk...

CVE-2019-19709

MediaWiki through 1.33.1 allows attackers to bypass the Titleblacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page...

CVE-2025-32076 Evil regex used to process user-provided data in VisualData

Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Visual Data Extension allows HTTP DoS.This issue affects Mediawiki - Visual Data Extension: from 1.39 through 1.43...

CVE-2025-32696

Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1...

MediaWiki < 1.23.16 Wiki Visitor IP Leakage

According to its self-reported version number, the instance of MediaWiki hosted on the remote web server is prior to 1.23.16, 1.24.x prior to 1.27.2 or 1.28.x prior to 1.28.1 . It is, therefore, affected by a flaw which may allow remote attackers to discover the IP addresses of Wiki Visitors via ...

PT-2021-23487 · Mediawiki +1 · Mediawiki +1

Name of the Vulnerable Software and Affected Versions: MediaWiki versions through 1.36.2 Description: An issue was discovered in the Growth extension in MediaWiki. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits...

Information disclosure

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid...

UBUNTU-CVE-2015-2936

MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service CPU consumption via a long password...

CVE-2014-9476

MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/."...

CVE-2014-5243

MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site...