Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

The Wikimedia Foundation

Source -

CNA

BOS Name -

Wikimedia Foundation

CNA CVEs -

69

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
69Vulnerabilities found

CVE-2026-14363
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.26% / 16.86%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 19:22
Updated-02 Jul, 2026 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cargo Extension: SQLi in Special:Drilldown

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Cargo Extension
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-14358
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 18.39%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 18:48
Updated-02 Jul, 2026 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in Wikimedia Chart pie tooltip via Data:*.tab field title

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting (XSS). This issue affects Mediawiki - Charts Extension: from * before 1.43.9,1.44.6,1.45.4.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Charts Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-58517
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.34% / 26.23%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 18:23
Updated-01 Jul, 2026 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Blocked users can create and edit WikiLambda objects

Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass. This issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - WikiLambda Extension
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2026-58521
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.25% / 15.88%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 17:30
Updated-01 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQLi in Cargo extension via year range filter

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Cargo Extension
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-58520
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.26% / 17.36%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 17:14
Updated-01 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UrlShortener defaults to ineffective validation open to third-party redirects

URL redirection to untrusted site ('open redirect') vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing. This issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - UrlShortener Extension
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-58519
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 18.39%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 03:59
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through Cargo's map format

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS. This issue affects Mediawiki - Cargo Extension: from * before 3.9.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Cargo Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-58518
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.16% / 5.23%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 03:52
Updated-01 Jul, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery. This issue affects Mediawiki - RedirectManager Extension: from * before 1.3.3.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - RedirectManager Extension
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-39936
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 18.39%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 22:11
Updated-08 Apr, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in Score due to usage of non-reserved data attributes

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Score Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39935
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.29% / 21.02%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 22:04
Updated-08 Apr, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS-via-i18n in localised wiki names

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS). This issue was remediated only on the `master` branch.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - CampaignEvents Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39934
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 26.88%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 22:00
Updated-08 Apr, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Growth Experiments ReassignMenteesJob runs as an infinite loop

Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue was remediated only on the `master` branch.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - GrowthExperiments Extension
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2026-39933
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.34% / 25.48%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 21:51
Updated-08 Apr, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple XSS vulnerabilities in GlobalWatchlist

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - GlobalWatchlist Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39937
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-8.8||HIGH
EPSS-0.26% / 17.63%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 21:44
Updated-08 Apr, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Global vanishing does not completely remove user email

Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - CentralAuth Extension
CWE ID-CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
CVE-2026-22711
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.29% / 21.01%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 18:39
Updated-08 Apr, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in WikiLove

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Wikilove Extension
CWE ID-CWE-87
Improper Neutralization of Alternate XSS Syntax
CVE-2025-11175
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-8.8||HIGH
EPSS-0.42% / 34.13%
||
7 Day CHG~0.00%
Published-30 Jan, 2026 | 19:12
Updated-04 Feb, 2026 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DiscussionTools should use better regex

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - DiscussionTools Extension
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-22712
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-2.3||LOW
EPSS-0.21% / 11.57%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 00:06
Updated-12 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ApprovedRevs allows bypassing the inline CSS sanitizer

Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.

Action-Not Available
Vendor-wikiworksWikimedia Foundation
Product-approved_revsMediawiki - ApprovedRevs Extension
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CVE-2026-22713
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-2.3||LOW
EPSS-0.17% / 6.82%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 00:00
Updated-12 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through edit summaries in GrowthExperiments

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39.

Action-Not Available
Vendor-growthWikimedia Foundation
Product-growthexperimentsMediawiki - GrowthExperiments Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-22714
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-2.3||LOW
EPSS-0.34% / 25.48%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 23:56
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
i18n XSS, DoS and config SQLI in Monaco

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Monaco Skin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-22710
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-2.3||LOW
EPSS-0.17% / 6.82%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 23:48
Updated-12 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through autocomment system messages in Wikibase

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-wikibaseMediawiki - Wikibase Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62659
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-2.1||LOW
EPSS-0.27% / 18.35%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 15:31
Updated-22 Oct, 2025 | 21:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The CookieConsent extension does not properly use reserved data attributes, thus introducing potential XSS vectors

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki CookieConsent extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki CookieConsent extension: from v0.1.0 before v2.0.0.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki CookieConsent extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62661
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.32% / 24.20%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 19:33
Updated-22 Oct, 2025 | 21:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Do permission checking when getting counts of global and local edits, new articles and thanks

Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension: from 1.43 before 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-12004
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-10||CRITICAL
EPSS-0.29% / 20.72%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 06:20
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The compare API module breaks Extension:Lockdown

Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Lockdown Extension
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2025-62701
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.94%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 04:45
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Wikistories
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62702
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.94%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 04:42
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - PageTriage Extension allows Stored XSS.This issue affects Mediawiki - PageTriage Extension: from master before 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - PageTriage Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62694
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 26.54%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 04:28
Updated-21 Oct, 2025 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - WikiLove Extension allows Stored XSS.This issue affects Mediawiki - WikiLove Extension: 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - WikiLove Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62695
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.94%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 04:02
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Stored XSS.This issue affects Mediawiki - WikiLambda Extension: master.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - WikiLambda Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62696
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-1.17% / 63.55%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 03:58
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple critical security issues in Springboard

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in The Wikimedia Foundation Mediawiki Foundation - Springboard Extension allows Command Injection.This issue affects Mediawiki Foundation - Springboard Extension: master.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki Foundation - Springboard Extension
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-62699
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.34% / 25.84%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 03:48
Updated-21 Oct, 2025 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Special:Translate tool does not use the correct IP and User-Agent in the CheckUser tool

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - Translate Extension allows Footprinting. Translate extension appears to use jobs to make edits to translation pages. This causes the CheckUser tool to log the wrong IP and User-Agent making these edits un-auditable via the CheckUser tool.This issue affects Mediawiki - Translate Extension: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Translate Extension
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-62658
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-7.5||HIGH
EPSS-0.22% / 12.10%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 20:23
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL injection in WatchAnalytics through Special:ClearPendingReviews

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki WatchAnalytics extension allows SQL Injection.This issue affects MediaWiki WatchAnalytics extension: 1.43, 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki WatchAnalytics extension
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62657
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-5.8||MEDIUM
EPSS-0.24% / 15.66%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 20:19
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in PageForms

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki PageForms extension allows Stored XSS.This issue affects MediaWiki PageForms extension: 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki PageForms extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62656
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-5.8||MEDIUM
EPSS-0.24% / 15.66%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 20:15
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GlobalBlocking Special:GlobalBlockList vulnerable to message key stored XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki GlobalBlocking extension allows Stored XSS.This issue affects MediaWiki GlobalBlocking extension: 1.43, 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki GlobalBlocking extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62697
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-8.8||HIGH
EPSS-0.32% / 23.48%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 19:27
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improperly sanitized style parameter in LanguageSelector

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in The Wikimedia Foundation Mediawiki - LanguageSelector Extension allows Code Injection.This issue affects Mediawiki - LanguageSelector Extension: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - LanguageSelector Extension
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2025-62698
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.94%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 18:07
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in ExternalGuidance

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ExternalGuidance allows Stored XSS.This issue affects Mediawiki - ExternalGuidance: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - ExternalGuidance
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62700
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.94%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 17:53
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message in MultiBoilerplate

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - MultiBoilerplate Extensionmaste allows Stored XSS.This issue affects Mediawiki - MultiBoilerplate Extensionmaste: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - MultiBoilerplate Extensionmaste
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62693
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.94%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 17:51
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in LastModified

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - LastModified Extension allows Stored XSS.This issue affects Mediawiki - LastModified Extension: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - LastModified Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-11937
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.81%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 05:14
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message in SecurePoll

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - SecurePoll Extension allows Stored XSS.This issue affects Mediawiki - SecurePoll Extension: master.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - SecurePoll Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62666
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 32.08%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:47
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DoS vector through the cirrusbuilddoc query API

Allocation of Resources Without Limits or Throttling vulnerability in The Wikimedia Foundation Mediawiki - CirrusSearch Extension allows HTTP DoS.This issue affects Mediawiki - CirrusSearch Extension: from master before 1.43.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - CirrusSearch Extension
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-62667
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.81%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:42
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through article extracts in GrowthExperiments

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Stored XSS.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - GrowthExperiments Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62668
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.38% / 30.00%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:39
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient permission checks in action=growthsetmentor

Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - GrowthExperiments Extension
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-62669
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 32.08%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:34
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UserInfoCard: activeLocalBlocksAllWikis does not do permissions checks

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects Mediawiki - CentralAuth Extension: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - CentralAuth Extension
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-62670
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.81%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:29
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message in FlexDiagrams

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - FlexDiagrams Extension allows Stored XSS.This issue affects Mediawiki - FlexDiagrams Extension: master.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - FlexDiagrams Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62671
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.81%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:24
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through wikitext in Cargo

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: master.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Cargo Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62662
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.81%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:19
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in AdvancedSearch

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - AdvancedSearch Extension allows Stored XSS.This issue affects Mediawiki - AdvancedSearch Extension: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - AdvancedSearch Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62663
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.81%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:16
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message in UploadWizard

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - UploadWizard Extension allows Stored XSS.This issue affects Mediawiki - UploadWizard Extension: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - UploadWizard Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62664
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.81%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 04:13
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through a system message in ImageRating

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ImageRating Extension allows Stored XSS.This issue affects Mediawiki - ImageRating Extension: from master before 1.39.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - ImageRating Extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62655
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-2.1||LOW
EPSS-0.25% / 16.01%
||
7 Day CHG~0.00%
Published-17 Oct, 2025 | 22:46
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL injection in Cargo via Special:CargoExport

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki Cargo extension allows SQL Injection.This issue affects MediaWiki Cargo extension: 1.39, 1.43, 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki Cargo extension
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62654
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-2||LOW
EPSS-0.28% / 19.91%
||
7 Day CHG~0.00%
Published-17 Oct, 2025 | 22:38
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in QuizGame

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki QuizGame extension allows Stored XSS.This issue affects MediaWiki QuizGame extension: 1.39, 1.43, 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki QuizGame extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62653
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-2||LOW
EPSS-0.28% / 19.91%
||
7 Day CHG~0.00%
Published-17 Oct, 2025 | 22:23
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS through system messages in PollNY

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki PollNY extension allows Stored XSS.This issue affects MediaWiki PollNY extension: 1.39, 1.43, 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki PollNY extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62652
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-5.8||MEDIUM
EPSS-0.35% / 27.16%
||
7 Day CHG~0.00%
Published-17 Oct, 2025 | 22:15
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in WebAuthn key name

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki WebAuthn extension allows Stored XSS.This issue affects MediaWiki WebAuthn extension: 1.39, 1.43, 1.44.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki WebAuthn extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-32077
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 26.90%
||
7 Day CHG+0.02%
Published-11 Apr, 2025 | 16:25
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSSes in Extension:SimpleCalendar

Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Extension:SimpleCalendar allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Extension:SimpleCalendar: from 1.39 through 1.43.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Extension:SimpleCalendar
CWE ID-CWE-20
Improper Input Validation
CVE-2025-32078
Assigner-The Wikimedia Foundation
ShareView Details
Assigner-The Wikimedia Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 26.90%
||
7 Day CHG+0.02%
Published-11 Apr, 2025 | 16:24
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSSes and potential RCE in Special:VersionCompare

Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - Version Compare Extension
CWE ID-CWE-116
Improper Encoding or Escaping of Output
  • Previous
  • 1
  • 2
  • Next