| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Wikimedia Foundation | MediaWiki | *< 1.46.0, 1.45.4, 1.44.6, 1.43.9 | affected |
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki | * ~ 1.46.0, 1.45.4, 1.44.6, 1.43.9 | - |
| # | POC Description | Source Link | Shenlong Link |
|---|
No public POC found.
Login to generate AI POC| CVE-2026-58033 | "Total number of distinct authors" statistic at action=info does not exclude revisions whe | |
| CVE-2026-8857 | Full RCE using EasyTimeline Extension | |
| CVE-2026-13706 | UrlShortener extension url validation can be bypassed due to difference between php url pa | |
| CVE-2026-13707 | Session fixation attacks on improperly configured OAuth 1.0a tools | |
| CVE-2026-58034 | Stored XSS through a system message when blocking a temporary account that's related to ot | |
| CVE-2026-58028 | Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets | |
| CVE-2026-58029 | Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata | |
| CVE-2026-58036 | Users API leaks whether privileged users have their user groups disabled for lack of 2FA | |
| CVE-2026-58030 | SyntaxHighlight stored XSS via unsanitized 'linelinks' attribute | |
| CVE-2026-58037 | Core log entries for exceptions and XSS issues in log entry formatting code that may be ca | |
| CVE-2026-58038 | Stored XSS through javascript URLs in SVGs generated by EasyTimeline | |
| CVE-2026-58027 | QueryAbuseFilter API can be used to see the hit count of private filters, which is hidden | |
| CVE-2026-58031 | Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected | |
| CVE-2026-58024 | API identification of users on private wikis | |
| CVE-2026-58025 | Remote Code Execution via Unsafe Deserialization in LogItem Import | |
| CVE-2026-58026 | $wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces | |
| CVE-2026-58035 | Stored XSS through a system message in the codex version of Special:Block |
No comments yet