Wikimedia Foundation — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Wikimedia Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Wikimedia Foundation operates the world’s largest collaborative encyclopedia platform, hosting Wikipedia and related projects that serve billions of monthly visitors. Its infrastructure relies on complex software stacks, including MediaWiki, which has historically been susceptible to various vulnerability classes. Common issues include cross-site scripting (XSS), SQL injection, and remote code execution (RCE) stemming from legacy code paths or misconfigurations. While the organization maintains a robust security posture with regular audits and bug bounty programs, the sheer scale of its codebase and the open nature of its editing model present unique challenges. Recent years have seen efforts to mitigate privilege escalation risks and improve input validation. Despite these ongoing technical hurdles, the Foundation remains a critical public resource, balancing transparency with the need to protect user data and system integrity against sophisticated cyber threats targeting its extensive digital footprint.

CVEs 107

CVE ID	Title	CVSS	Severity	Published
CVE-2026-39837	Stored XSS through the dynamic table format in Cargo — Mediawiki - Cargo ExtensionCWE-80	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39841	Stored XSS through list fields on Cargo's page values and Special:CargoTables — Mediawiki - Cargo ExtensionCWE-80	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39840	CSS injection in multiple Cargo display formats — Mediawiki - Cargo ExtensionCWE-79	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39839	Stored XSS through URLs in Cargo's map format — Mediawiki - Cargo ExtensionCWE-80	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39838	ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS — MediaWiki - ProofreadPage ExtensionCWE-79	6.1^AI	Medium^AI	2026-04-07
CVE-2026-5762	ReportIncident DiscussionTools integration causes slow requests — MediaWiki - ReportIncident ExtensionCWE-770	7.5^AI	High^AI	2026-04-07
CVE-2025-67481	mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67482	Lua segfault in unpack() — Scribunto	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67483	Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67484	Action API xslt option allows JavaScript execution by administrators who are not interface administrators — MediaWiki	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67480	list=allrevisions can be used to bypass Extension:Lockdown — MediaWiki	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67475	Stored XSS through edit summaries in MW Core — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67476	Importing leaks IP address of importer via EventStreams — MediaWiki	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67477	Stored XSS through a system message in Special:ApiSandbox — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67478	Wrong E-Mail address composition for usernames with a comma and Umlauts in it like "Döe, Jähn" — CheckUser	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67479	Magic word replacement in legacy parser allows using reserved data attributes through wikitext — MediaWiki	9.1^AI	Critical^AI	2026-02-03
CVE-2025-61654	UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks — Thanks	4.3^AI	Medium^AI	2026-02-03
CVE-2025-61655	Stored XSS through system messages in VisualEditor — VisualEditorCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-61656	XSS when pasting into VE — VisualEditorCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-61657	Wikimedia Vector 安全漏洞 — VectorCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-61658	Special:GlobalContributions shows edits on wikis the viewer doesn't have access to — CheckUser	9.1^AI	Critical^AI	2026-02-03
CVE-2025-61653	Extension:TextExtracts does not check for authorizeRead when returning extracts — TextExtracts	8.1^AI	High^AI	2026-02-03
CVE-2025-61652	Action API discussiontoolspageinfo does not check for authorizeRead for the page — DiscussionTools	6.5^AI	Medium^AI	2026-02-03
CVE-2025-61651	i18n XSS through Special:CheckUser CheckUser helper — CheckUserCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-11173	Reauth for enabling 2FA can be bypassed by submitting a form — OATHAuth	8.1^AI	High^AI	2026-02-03
CVE-2025-11261	Stored i18n XSS exposed by security patch for T402077 — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-61648	Stored XSS through system messages in CheckUser — CheckUserCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-61649	UserInfoCard: Check that performing user has permission to view log entries for number of past blocks — CheckUser	9.1^AI	Critical^AI	2026-02-03
CVE-2025-61650	UserInfoCard is vulnerable to message key stored XSS — CheckUserCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-61645	CodexTablePager has i18n XSS — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03

This page lists every published CVE security advisory associated with Wikimedia Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Wikimedia Foundation — Vulnerabilities & Security Advisories 107