The Wikimedia Foundation — Vulnerabilities & Security Advisories 62

Browse all 62 CVE security advisories affecting The Wikimedia Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Wikimedia Foundation operates non-profit digital platforms, most notably Wikipedia, facilitating global knowledge sharing through collaborative editing. Its infrastructure relies on complex web applications and databases, making it a frequent target for automated scanning and exploitation. Historical vulnerability records indicate a prevalence of cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF) flaws, stemming from the scale and diversity of its codebase contributions. While remote code execution (RCE) incidents are less common, they pose significant risks due to the platform’s critical nature. The organization employs rigorous code review processes and maintains a dedicated security team to address these issues. Despite these measures, the sheer volume of user-generated content and extensions creates a broad attack surface. The foundation’s response to security incidents typically involves rapid patching and transparency reports, aiming to maintain trust while mitigating the impact of discovered exploits on its vast user base.

CVEs 62

CVE ID	Title	CVSS	Severity	Published
CVE-2026-39936	Stored XSS in Score due to usage of non-reserved data attributes — Mediawiki - Score ExtensionCWE-79	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39935	XSS-via-i18n in localised wiki names — Mediawiki - CampaignEvents ExtensionCWE-79	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39934	Growth Experiments ReassignMenteesJob runs as an infinite loop — Mediawiki - GrowthExperiments ExtensionCWE-835	5.9^AI	Medium^AI	2026-04-07
CVE-2026-39933	Multiple XSS vulnerabilities in GlobalWatchlist — Mediawiki - GlobalWatchlist ExtensionCWE-79	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39937	Global vanishing does not completely remove user email — Mediawiki - CentralAuth ExtensionCWE-212	7.5^AI	High^AI	2026-04-07
CVE-2026-22711	Stored XSS through system messages in WikiLove — Mediawiki - Wikilove ExtensionCWE-87	6.1^AI	Medium^AI	2026-04-07
CVE-2025-11175	DiscussionTools should use better regex — Mediawiki - DiscussionTools ExtensionCWE-917	7.5^AI	High^AI	2026-01-30
CVE-2026-22712	ApprovedRevs allows bypassing the inline CSS sanitizer — Mediawiki - ApprovedRevs ExtensionCWE-116	9.1	-	2026-01-09
CVE-2026-22713	Stored XSS through edit summaries in GrowthExperiments — Mediawiki - GrowthExperiments ExtensionCWE-79	6.1	-	2026-01-09
CVE-2026-22714	i18n XSS, DoS and config SQLI in Monaco — Mediawiki - Monaco SkinCWE-79	6.1	-	2026-01-08
CVE-2026-22710	Stored XSS through autocomment system messages in Wikibase — Mediawiki - Wikibase ExtensionCWE-79	6.1	-	2026-01-08
CVE-2025-62659	The CookieConsent extension does not properly use reserved data attributes, thus introducing potential XSS vectors — MediaWiki CookieConsent extensionCWE-79	6.1^AI	Medium^AI	2025-10-22
CVE-2025-62661	Do permission checking when getting counts of global and local edits, new articles and thanks — Mediawiki - Thanks Extension, Mediawiki - Growth Experiments ExtensionCWE-276	7.5^AI	High^AI	2025-10-21
CVE-2025-12004	The compare API module breaks Extension:Lockdown — Mediawiki - Lockdown ExtensionCWE-732	8.8^AI	High^AI	2025-10-21
CVE-2025-62701	Stored XSS through system messages — Mediawiki - WikistoriesCWE-79	5.4^AI	Medium^AI	2025-10-21
CVE-2025-62702	Stored XSS through system messages — Mediawiki - PageTriage ExtensionCWE-79	6.1^AI	Medium^AI	2025-10-21
CVE-2025-62694	Stored XSS through a system message — Mediawiki - WikiLove ExtensionCWE-79	5.4^AI	Medium^AI	2025-10-21
CVE-2025-62695	Stored XSS through system messages — Mediawiki - WikiLambda ExtensionCWE-79	5.4^AI	Medium^AI	2025-10-21
CVE-2025-62696	Multiple critical security issues in Springboard — Mediawiki Foundation - Springboard ExtensionCWE-77	9.8^AI	Critical^AI	2025-10-21
CVE-2025-62699	Special:Translate tool does not use the correct IP and User-Agent in the CheckUser tool — Mediawiki - Translate ExtensionCWE-200	6.5^AI	Medium^AI	2025-10-21
CVE-2025-62658	SQL injection in WatchAnalytics through Special:ClearPendingReviews — MediaWiki WatchAnalytics extensionCWE-89	9.8^AI	Critical^AI	2025-10-20
CVE-2025-62657	Stored XSS through system messages in PageForms — MediaWiki PageForms extensionCWE-79	5.4^AI	Medium^AI	2025-10-20
CVE-2025-62656	GlobalBlocking Special:GlobalBlockList vulnerable to message key stored XSS — MediaWiki GlobalBlocking extensionCWE-79	5.4^AI	Medium^AI	2025-10-20
CVE-2025-62697	Improperly sanitized style parameter in LanguageSelector — Mediawiki - LanguageSelector ExtensionCWE-74	9.8^AI	Critical^AI	2025-10-20
CVE-2025-62698	Stored XSS through system messages in ExternalGuidance — Mediawiki - ExternalGuidanceCWE-79	6.1^AI	Medium^AI	2025-10-20
CVE-2025-62700	Stored XSS through a system message in MultiBoilerplate — Mediawiki - MultiBoilerplate ExtensionmasteCWE-79	5.4^AI	Medium^AI	2025-10-20
CVE-2025-62693	Stored XSS through system messages in LastModified — Mediawiki - LastModified ExtensionCWE-79	6.1^AI	Medium^AI	2025-10-20
CVE-2025-11937	Stored XSS through a system message in SecurePoll — Mediawiki - SecurePoll ExtensionCWE-79	6.1^AI	Medium^AI	2025-10-18
CVE-2025-62666	DoS vector through the cirrusbuilddoc query API — Mediawiki - CirrusSearch ExtensionCWE-770	7.5^AI	High^AI	2025-10-18
CVE-2025-62667	Stored XSS through article extracts in GrowthExperiments — Mediawiki - GrowthExperiments ExtensionCWE-79	6.1^AI	Medium^AI	2025-10-18

This page lists every published CVE security advisory associated with The Wikimedia Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

The Wikimedia Foundation — Vulnerabilities & Security Advisories 62