Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-58028

Summary
Assigner-wikimedia-foundation
Assigner Org ID-c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
Published At-01 Jul, 2026 | 15:15
Updated At-01 Jul, 2026 | 15:50
Rejected At-
Credits

Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation CentralAuth. This vulnerability is associated with program files includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, includes/LogFormatter/PermissionChangeLogFormatter.Php. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9; CentralAuth: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:wikimedia-foundation
Assigner Org ID:c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
Published At:01 Jul, 2026 | 15:15
Updated At:01 Jul, 2026 | 15:50
Rejected At:
â–¼CVE Numbering Authority (CNA)
Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation CentralAuth. This vulnerability is associated with program files includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, includes/LogFormatter/PermissionChangeLogFormatter.Php. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9; CentralAuth: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Affected Products
Vendor
Wikimedia FoundationWikimedia Foundation
Product
MediaWiki
Repo
https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master
Program Files
  • includes/Api/ApiFormatBase.php
  • includes/Api/ApiHelp.php
  • includes/ResourceLoader/Module.php
Default Status
unaffected
Versions
Affected
  • From * before 1.46.0, 1.45.4, 1.44.6, 1.43.9 (semver)
Vendor
Wikimedia FoundationWikimedia Foundation
Product
CentralAuth
Program Files
  • includes/Hooks/Handlers/PageDisplayHookHandler.php
  • includes/LogFormatter/PermissionChangeLogFormatter.php
Default Status
unaffected
Versions
Affected
  • From * before 1.46.0, 1.45.4, 1.44.6, 1.43.9 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.00.0NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 0.0
Base severity: NONE
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://phabricator.wikimedia.org/T422306
N/A
Hyperlink: https://phabricator.wikimedia.org/T422306
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
Published At:01 Jul, 2026 | 16:16
Updated At:01 Jul, 2026 | 18:18

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation CentralAuth. This vulnerability is associated with program files includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, includes/LogFormatter/PermissionChangeLogFormatter.Php. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9; CentralAuth: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.00.0NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
N/A
Type: Secondary
Version: 4.0
Base score: 0.0
Base severity: NONE
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-79Secondaryc4f26cc8-17ff-4c99-b5e2-38fc1793eacc
CWE ID: CWE-79
Type: Secondary
Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://phabricator.wikimedia.org/T422306c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
N/A
Hyperlink: https://phabricator.wikimedia.org/T422306
Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

68Records found

CVE-2026-58038
Matching Score-10
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-10
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.24% / 15.06%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 15:04
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through javascript URLs in SVGs generated by EasyTimeline

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation timeline. This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl. This issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Action-Not Available
Vendor-Wikimedia Foundation
Product-timeline
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8857
Matching Score-8
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-8
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.27% / 18.32%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 15:08
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Full RCE using EasyTimeline Extension

A vulnerability in Wikimedia Foundation timeline. This vulnerability is associated with program files scripts/EasyTimeline.Pl, includes/Timeline.Php. This issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Action-Not Available
Vendor-Wikimedia Foundation
Product-timeline
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-13706
Matching Score-8
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-8
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.28% / 19.62%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 14:29
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UrlShortener extension url validation can be bypassed due to difference between php url parsing and WHATWG

Improper input validation vulnerability in Wikimedia Foundation UrlShortener. This vulnerability is associated with program files includes/UrlShortenerUtils.Php.

Action-Not Available
Vendor-Wikimedia Foundation
Product-UrlShortener
CWE ID-CWE-20
Improper Input Validation
CVE-2026-58037
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.39% / 30.94%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 14:51
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Core log entries for exceptions and XSS issues in log entry formatting code that may be caused by user-controlled input

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Language/Language.Php, includes/Logging/BlockLogFormatter.Php, includes/Logging/LogFormatter.Php, includes/Logging/PatrolLogFormatter.Php, includes/Logging/RenameuserLogFormatter.Php, includes/Logging/TagLogFormatter.Php, includes/Specials/SpecialVersion.Php. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-58032
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.44% / 35.03%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 14:56
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Api/index.Js. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-58034
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.25% / 15.83%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 14:21
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message when blocking a temporary account that's related to other temporary accounts

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue. This issue affects CheckUser: from 1.46.0-rc.0 before 1.46.0.

Action-Not Available
Vendor-Wikimedia Foundation
Product-CheckUser
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-58030
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 30.94%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 14:58
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SyntaxHighlight stored XSS via unsanitized 'linelinks' attribute

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation SyntaxHighlight_GeSHi. This vulnerability is associated with program files includes/SyntaxHighlight.Php. This issue affects SyntaxHighlight_GeSHi: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Action-Not Available
Vendor-Wikimedia Foundation
Product-SyntaxHighlight_GeSHi
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-58035
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.25% / 15.83%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 14:17
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message in the codex version of Special:Block

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Block/SpecialBlock.Vue.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3469
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.36% / 28.24%
||
7 Day CHG+0.02%
Published-10 Apr, 2025 | 18:28
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
i18n XSS vulnerability in HTMLMultiSelectField when sections are used

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-32699
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-2.1||LOW
EPSS-0.33% / 25.38%
||
7 Day CHG+0.02%
Published-10 Apr, 2025 | 18:30
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential javascript injection attack enabled by Unicode normalization in Action API

Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWikiParsoid
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23072
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 21.49%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 18:29
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Special:RefreshSpecial

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RefreshSpecial Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - RefreshSpecial Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - RefreshSpecial Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23081
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 7.62%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 16:56
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Various security vulnerabilities in Extension:DataTransfer

Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - DataTransfer Extension
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39838
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 32.12%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 19:17
Updated-08 Apr, 2026 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki - ProofreadPage Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39840
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-5.1||MEDIUM
EPSS-0.16% / 5.35%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 19:35
Updated-15 Apr, 2026 | 23:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CSS injection in multiple Cargo display formats

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

Action-Not Available
Vendor-Wikimedia Foundation
Product-cargoMediawiki - Cargo Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39841
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-6.3||MEDIUM
EPSS-0.16% / 5.35%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 19:43
Updated-15 Apr, 2026 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through list fields on Cargo's page values and Special:CargoTables

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

Action-Not Available
Vendor-Wikimedia Foundation
Product-cargoMediawiki - Cargo Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-23078
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 15.63%
||
7 Day CHG~0.00%
Published-10 Jan, 2025 | 17:57
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in BreadCrumbs2

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Breadcrumbs2 extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Breadcrumbs2 extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.5, from 1.42.X before 1.42.4.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Breadcrumbs2 extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23080
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 20.57%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 16:40
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSSes in Special:BadgeView

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - OpenBadges Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - OpenBadges Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - OpenBadges Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23079
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 13.29%
||
7 Day CHG~0.00%
Published-10 Jan, 2025 | 19:03
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSSes in Extension:ArticleFeedbackv5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - ArticleFeedbackv5 extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - ArticleFeedbackv5 extension: from 1.42.X before 1.42.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - ArticleFeedbackv5 extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-34089
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-2.3||LOW
EPSS-0.23% / 13.57%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 14:46
Updated-12 May, 2026 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory leak in Scribunto causes runJobs.php to run out of memory

Vulnerability in Wikimedia Foundation Scribunto. This issue affects Scribunto: from 1.45.0 before 1.45.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Scribunto
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-11261
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.22% / 13.16%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 00:25
Updated-25 Mar, 2026 | 13:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored i18n XSS exposed by security patch for T402077

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-58031
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.23% / 13.78%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 14:24
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from 1.46.0-rc.0 before 1.46.0.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-67477
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.22% / 11.95%
||
7 Day CHG-0.02%
Published-03 Feb, 2026 | 01:16
Updated-09 Apr, 2026 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message in Special:ApiSandbox

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-0671
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 10.25%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 16:21
Updated-15 Jan, 2026 | 21:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple stored i18n/message-key XSSes in UploadWizard

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawiki-extensions-uploadwizardMediaWiki - UploadWizard extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-0670
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-6.1||MEDIUM
EPSS-0.16% / 5.40%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 18:55
Updated-23 Feb, 2026 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message and a user-provided parameter in ProofreadPage

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-proofread_pageMediaWiki - ProofreadPage Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62665
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.80%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:10
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in Skin:BlueSky

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Skin:BlueSky allows Stored XSS.This issue affects Mediawiki - Skin:BlueSky: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Skin:BlueSky
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61637
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.22% / 12.29%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 23:54
Updated-16 Mar, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in MW Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61657
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.25% / 15.86%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 01:00
Updated-03 Feb, 2026 | 21:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js. This issue affects Vector: from * before 1.43.4, 1.44.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Vector
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61636
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.21% / 11.43%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 23:23
Updated-16 Mar, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Codex Special:Block vulnerable to message key XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53480
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 6.67%
||
7 Day CHG~0.00%
Published-08 Jul, 2025 | 14:58
Updated-08 Jul, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CheckUser: Reflected Cross-Site Scripting (XSS) in Special:Investigate (Account information tab) via unsanitized i18n messages

The CheckUser extension’s Special:Investigate page has a vulnerability in the Account information tab, where specific internationalized messages are rendered without proper escaping. Attackers can exploit this by appending ?uselang=x-xss to the URL, causing reflected XSS when the UI renders affected message keys. This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - CheckUser extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-6451
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.08% / 60.96%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 14:56
Updated-06 Aug, 2024 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4303
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.53% / 71.61%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 18:30
Updated-06 Aug, 2024 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7362
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 6.67%
||
7 Day CHG~0.00%
Published-08 Jul, 2025 | 17:22
Updated-10 Jul, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MsUpload: Stored Cross-Site Scripting (XSS) via unsanitized msu-continue system message

The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. The vulnerability occurs in the file upload UI when the same filename is uploaded twice. This issue affects Mediawiki - MsUpload extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - MsUpload extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7363
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 10.44%
||
7 Day CHG~0.00%
Published-08 Jul, 2025 | 17:27
Updated-10 Jul, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TitleIcon: Stored Cross-Site Scripting (XSS) via #titleicon_unicode parser function

The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an HtmlArmor object without sanitization and rendered directly into the page header, allowing attackers to inject arbitrary JavaScript. This issue affects Mediawiki - TitleIcon extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - TitleIcon extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7057
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 6.67%
||
7 Day CHG~0.00%
Published-07 Jul, 2025 | 15:12
Updated-10 Jul, 2025 | 23:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in Quiz

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Quiz Extension allows Stored XSS.This issue affects Mediawiki - Quiz Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Quiz Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7056
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-6.3||MEDIUM
EPSS-0.19% / 8.47%
||
7 Day CHG~0.00%
Published-07 Jul, 2025 | 13:57
Updated-10 Jul, 2025 | 23:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in UrlShortener

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - UrlShortener Extension allows Stored XSS.This issue affects Mediawiki - UrlShortener Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - UrlShortener Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-67481
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.22% / 12.57%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 01:30
Updated-09 Apr, 2026 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-67483
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.22% / 12.57%
||
7 Day CHG-0.02%
Published-03 Feb, 2026 | 01:26
Updated-09 Apr, 2026 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-67475
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.21% / 11.39%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 01:21
Updated-09 Apr, 2026 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through edit summaries in MW Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-6596
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.39% / 30.59%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 22:58
Updated-03 Feb, 2026 | 21:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vector inserts portlet labels as HTML, allowing for stored XSS through system messages

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js. This issue affects Vector: from >= 1.40.0 before 1.42.7, 1.43.2, 1.44.0.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Vector
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-6594
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.27% / 18.62%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 23:00
Updated-03 Feb, 2026 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Special:ApiSandbox

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-6591
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.39% / 31.21%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 23:02
Updated-28 Feb, 2026 | 04:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML injection in API action=feedcontributions output from i18n message

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-6595
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.27% / 18.62%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 22:59
Updated-03 Feb, 2026 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer.This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MultimediaViewer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61645
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.20% / 10.49%
||
7 Day CHG-0.02%
Published-03 Feb, 2026 | 00:13
Updated-06 Mar, 2026 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodexTablePager has i18n XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61655
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.14% / 4.04%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 01:04
Updated-09 Apr, 2026 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in VisualEditor

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-visual_editorVisualEditor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61650
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-1.1||LOW
EPSS-0.25% / 15.83%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 00:15
Updated-03 Feb, 2026 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UserInfoCard is vulnerable to message key stored XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from * before 795bf333272206a0189050d975e94b70eb7dc507.

Action-Not Available
Vendor-Wikimedia Foundation
Product-CheckUser
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61640
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.22% / 12.19%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 23:42
Updated-16 Mar, 2026 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in Special:RecentChangesLinked (MW Core)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61638
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.23% / 14.14%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 23:52
Updated-16 Mar, 2026 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sanitizer::validateAttributes data-XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiparsoidParsoidMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61648
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.14% / 4.03%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 00:19
Updated-09 Apr, 2026 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in CheckUser

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/ShowIPButton.Vue, modules/ext.CheckUser.TempAccounts/SpecialBlock.Js. This issue affects CheckUser: from * before 1.44.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-checkuserCheckUser
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61644
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.25% / 15.86%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 23:57
Updated-03 Feb, 2026 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
i18n XSS through Special:Watchlist

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-61642
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-Not Assigned
EPSS-0.22% / 12.46%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 23:36
Updated-25 Mar, 2026 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages provided to CodexHtmlForms

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • Next
Details not found