Wikimedia Foundation — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Wikimedia Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Wikimedia Foundation operates the world’s largest collaborative encyclopedia platform, hosting Wikipedia and related projects that serve billions of monthly visitors. Its infrastructure relies on complex software stacks, including MediaWiki, which has historically been susceptible to various vulnerability classes. Common issues include cross-site scripting (XSS), SQL injection, and remote code execution (RCE) stemming from legacy code paths or misconfigurations. While the organization maintains a robust security posture with regular audits and bug bounty programs, the sheer scale of its codebase and the open nature of its editing model present unique challenges. Recent years have seen efforts to mitigate privilege escalation risks and improve input validation. Despite these ongoing technical hurdles, the Foundation remains a critical public resource, balancing transparency with the need to protect user data and system integrity against sophisticated cyber threats targeting its extensive digital footprint.

CVEs 107

CVE ID	Title	CVSS	Severity	Published
CVE-2025-61646	Watchlist group mode reveals authors of edits with hidden authorship — MediaWiki	8.2^AI	High^AI	2026-02-03
CVE-2025-61647	UserInfoCard: Don't allow access to information about users who are suppressed if you don't have suppressor rights — CheckUser	9.8^AI	Critical^AI	2026-02-03
CVE-2025-61644	i18n XSS through Special:Watchlist — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61637	Stored XSS through system messages in MW Core — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61638	Sanitizer::validateAttributes data-XSS — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61639	Suppressed blocked IP is visible in Special:BlockList, RC, and other places — MediaWikiCWE-200	7.5^AI	High^AI	2026-02-02
CVE-2025-61640	Stored XSS through system messages in Special:RecentChangesLinked (MW Core) — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61641	API list=allpages with maxsize is making really slow queries — MediaWiki	9.1^AI	Critical^AI	2026-02-02
CVE-2025-61642	Stored XSS through system messages provided to CodexHtmlForms — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61643	EventStreams publishes suppressed recent change entries that are suppressed from their creation — MediaWiki	5.3^AI	Medium^AI	2026-02-02
CVE-2025-61634	HTML rest endpoint needs PoolCounter and proper parser cache check — MediaWiki	9.4^AI	Critical^AI	2026-02-02
CVE-2025-61635	Add rate limiting to ApiFancyCaptchaReload — ConfirmEdit	8.1^AI	High^AI	2026-02-02
CVE-2025-61636	Codex Special:Block vulnerable to message key XSS — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-6589	With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockList — MediaWiki	7.5^AI	High^AI	2026-02-02
CVE-2025-6590	Complete content leak of private wikis due to PasswordReset Wikitext injection in error message — MediaWikiCWE-200	7.5^AI	High^AI	2026-02-02
CVE-2025-6591	HTML injection in API action=feedcontributions output from i18n message — MediaWiki	8.2^AI	High^AI	2026-02-02
CVE-2025-6592	Creating a permanent account from a temporary account associates temp username and IP address with real username in AbuseLog — AbuseFilter	9.8^AI	Critical^AI	2026-02-02
CVE-2025-6593	"{{SITENAME}} registered email address has been changed" email sent to unverified email addresses — MediaWiki	8.1^AI	High^AI	2026-02-02
CVE-2025-6594	XSS in Special:ApiSandbox — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-6595	MediaWiki 安全漏洞 — MultimediaViewerCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-6596	Vector inserts portlet labels as HTML, allowing for stored XSS through system messages — VectorCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-6597	MediaWiki should not consider autocreation as login for the purposes of security reauthentication — MediaWiki	9.8^AI	Critical^AI	2026-02-02
CVE-2025-6927	Autoblocks from global account suppressions are publicly visible — MediaWiki	8.2^AI	High^AI	2026-02-02
CVE-2026-0817	CampaignEvents API missing authorization exposes meeting and chat URLs — MediaWiki - CampaignEvents extensionCWE-862	8.8	-	2026-01-09
CVE-2026-0671	Multiple stored i18n/message-key XSSes in UploadWizard — MediaWiki - UploadWizard extensionCWE-79	6.1	-	2026-01-08
CVE-2026-0670	Stored XSS through a system message and a user-provided parameter in ProofreadPage — MediaWiki - ProofreadPage ExtensionCWE-79	6.1	-	2026-01-07
CVE-2026-0669	Path Traversal vulnerability in CSS extension on certain web servers — MediaWiki - CSS extensionCWE-22	7.5	-	2026-01-07
CVE-2026-0668	VisualData extension: Regular Expression Denial of Service (ReDoS) via crafted user input — MediaWiki - VisualData ExtensionCWE-1333	7.5	-	2026-01-07
CVE-2025-52738	WordPress Wikipedia Preview plugin <= 1.15.0 - Broken Access Control vulnerability — Wikipedia PreviewCWE-862	6.5	Medium	2025-10-22
CVE-2025-62665	Stored XSS through system messages in Skin:BlueSky — Mediawiki - Skin:BlueSkyCWE-79	6.1^AI	Medium^AI	2025-10-18

This page lists every published CVE security advisory associated with Wikimedia Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Wikimedia Foundation — Vulnerabilities & Security Advisories 107