Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

mediawiki — Vulnerabilities & Security Advisories 64

All 64 CVE vulnerabilities found in mediawiki, with AI-generated Chinese analysis, references, and POCs.

This page serves as a comprehensive vulnerability aggregation resource for the MediaWiki product, focusing on various weakness types and security tags. It collects detailed records of security flaws affecting this widely used wiki software platform, covering a broad time range from historical findings to recent disclosures. The aggregated data spans from early vulnerabilities in legacy versions up to the most recent updates, ensuring a complete timeline of security issues. Here, users can track MediaWiki vendor advisories to stay informed about official patches and remediation steps. The resource allows for a deep understanding of common weakness classes that frequently impact this software, such as cross-site scripting, injection flaws, and information disclosure. By examining these patterns, developers and security analysts can better assess risks and apply appropriate mitigations. Additionally, the page provides a historical view of vulnerabilities associated with MediaWiki, enabling users to look up the product's vulnerability history for specific versions. This chronological approach helps identify trends in security maturity and recurring issues over time. The content is structured to support thorough security audits, compliance checks, and risk assessments without overwhelming the reader with unnecessary details. All information is presented in a neutral, factual manner to facilitate efficient research and decision-making. This resource is particularly valuable for maintainers, system administrators, and security professionals who need to understand the specific threat landscape surrounding MediaWiki deployments.

Vendor: mediawiki

CVE IDTitleCVSSSeverityPublished
CVE-2026-34095 action=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript request --2026-05-11
CVE-2026-34094 Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix --2026-05-11
CVE-2026-34093 Special:UserRights allows viewing user rights from private wiki CWE-200--2026-05-11
CVE-2026-34092 Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP CWE-200--2026-05-11
CVE-2026-34091 User localization leaked by AbuseFilter + EventStream CWE-200--2026-05-11
CVE-2026-34088 RecentChanges entries expose suppressed content via generated log page html CWE-200--2026-05-11
CVE-2025-67481 mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does CWE-79 6.1AIMediumAI2026-02-03
CVE-2025-67483 Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels CWE-79 6.1AIMediumAI2026-02-03
CVE-2025-67484 Action API xslt option allows JavaScript execution by administrators who are not interface administrators 9.8AICriticalAI2026-02-03
CVE-2025-67480 list=allrevisions can be used to bypass Extension:Lockdown 9.8AICriticalAI2026-02-03
CVE-2025-67475 Stored XSS through edit summaries in MW Core CWE-79 6.1AIMediumAI2026-02-03
CVE-2025-67476 Importing leaks IP address of importer via EventStreams 9.8AICriticalAI2026-02-03
CVE-2025-67477 Stored XSS through a system message in Special:ApiSandbox CWE-79 6.1AIMediumAI2026-02-03
CVE-2025-67479 Magic word replacement in legacy parser allows using reserved data attributes through wikitext 9.1AICriticalAI2026-02-03
CVE-2025-11261 Stored i18n XSS exposed by security patch for T402077 CWE-79 6.1AIMediumAI2026-02-03
CVE-2025-61645 CodexTablePager has i18n XSS CWE-79 6.1AIMediumAI2026-02-03
CVE-2025-61646 Watchlist group mode reveals authors of edits with hidden authorship 8.2AIHighAI2026-02-03
CVE-2025-61644 i18n XSS through Special:Watchlist CWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61637 Stored XSS through system messages in MW Core CWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61638 Sanitizer::validateAttributes data-XSS CWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61639 Suppressed blocked IP is visible in Special:BlockList, RC, and other places CWE-200 7.5AIHighAI2026-02-02
CVE-2025-61640 Stored XSS through system messages in Special:RecentChangesLinked (MW Core) CWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61641 API list=allpages with maxsize is making really slow queries 9.1AICriticalAI2026-02-02
CVE-2025-61642 Stored XSS through system messages provided to CodexHtmlForms CWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61643 EventStreams publishes suppressed recent change entries that are suppressed from their creation 5.3AIMediumAI2026-02-02
CVE-2025-61634 HTML rest endpoint needs PoolCounter and proper parser cache check 9.4AICriticalAI2026-02-02
CVE-2025-61636 Codex Special:Block vulnerable to message key XSS CWE-79 6.1AIMediumAI2026-02-02
CVE-2025-6589 With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockList 7.5AIHighAI2026-02-02
CVE-2025-6590 Complete content leak of private wikis due to PasswordReset Wikitext injection in error message CWE-200 7.5AIHighAI2026-02-02
CVE-2025-6591 HTML injection in API action=feedcontributions output from i18n message 8.2AIHighAI2026-02-02

All 64 known CVE vulnerabilities affecting mediawiki with full Chinese analysis, references, and POCs where available.