Wikimedia Foundation — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Wikimedia Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Wikimedia Foundation operates the world’s largest collaborative encyclopedia platform, hosting Wikipedia and related projects that serve billions of monthly visitors. Its infrastructure relies on complex software stacks, including MediaWiki, which has historically been susceptible to various vulnerability classes. Common issues include cross-site scripting (XSS), SQL injection, and remote code execution (RCE) stemming from legacy code paths or misconfigurations. While the organization maintains a robust security posture with regular audits and bug bounty programs, the sheer scale of its codebase and the open nature of its editing model present unique challenges. Recent years have seen efforts to mitigate privilege escalation risks and improve input validation. Despite these ongoing technical hurdles, the Foundation remains a critical public resource, balancing transparency with the need to protect user data and system integrity against sophisticated cyber threats targeting its extensive digital footprint.

CVEs 107

CVE ID	Title	CVSS	Severity	Published
CVE-2025-67481	mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67483	Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67484	Action API xslt option allows JavaScript execution by administrators who are not interface administrators — MediaWiki	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67480	list=allrevisions can be used to bypass Extension:Lockdown — MediaWiki	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67475	Stored XSS through edit summaries in MW Core — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67476	Importing leaks IP address of importer via EventStreams — MediaWiki	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67477	Stored XSS through a system message in Special:ApiSandbox — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67479	Magic word replacement in legacy parser allows using reserved data attributes through wikitext — MediaWiki	9.1^AI	Critical^AI	2026-02-03
CVE-2025-11261	Stored i18n XSS exposed by security patch for T402077 — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-61645	CodexTablePager has i18n XSS — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-61646	Watchlist group mode reveals authors of edits with hidden authorship — MediaWiki	8.2^AI	High^AI	2026-02-03
CVE-2025-61644	i18n XSS through Special:Watchlist — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61637	Stored XSS through system messages in MW Core — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61638	Sanitizer::validateAttributes data-XSS — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61639	Suppressed blocked IP is visible in Special:BlockList, RC, and other places — MediaWikiCWE-200	7.5^AI	High^AI	2026-02-02
CVE-2025-61640	Stored XSS through system messages in Special:RecentChangesLinked (MW Core) — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61641	API list=allpages with maxsize is making really slow queries — MediaWiki	9.1^AI	Critical^AI	2026-02-02
CVE-2025-61642	Stored XSS through system messages provided to CodexHtmlForms — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-61643	EventStreams publishes suppressed recent change entries that are suppressed from their creation — MediaWiki	5.3^AI	Medium^AI	2026-02-02
CVE-2025-61634	HTML rest endpoint needs PoolCounter and proper parser cache check — MediaWiki	9.4^AI	Critical^AI	2026-02-02
CVE-2025-61636	Codex Special:Block vulnerable to message key XSS — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-6589	With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockList — MediaWiki	7.5^AI	High^AI	2026-02-02
CVE-2025-6590	Complete content leak of private wikis due to PasswordReset Wikitext injection in error message — MediaWikiCWE-200	7.5^AI	High^AI	2026-02-02
CVE-2025-6591	HTML injection in API action=feedcontributions output from i18n message — MediaWiki	8.2^AI	High^AI	2026-02-02
CVE-2025-6593	"{{SITENAME}} registered email address has been changed" email sent to unverified email addresses — MediaWiki	8.1^AI	High^AI	2026-02-02
CVE-2025-6594	XSS in Special:ApiSandbox — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-02
CVE-2025-6597	MediaWiki should not consider autocreation as login for the purposes of security reauthentication — MediaWiki	9.8^AI	Critical^AI	2026-02-02
CVE-2025-6927	Autoblocks from global account suppressions are publicly visible — MediaWiki	8.2^AI	High^AI	2026-02-02
CVE-2025-32700	AbuseFilter log interfaces expose global private and hidden filters when central DB is not available — MediaWikiCWE-200	7.5^AI	High^AI	2025-04-10
CVE-2025-32699	Potential javascript injection attack enabled by Unicode normalization in Action API — MediaWikiCWE-79	9.1^AI	Critical^AI	2025-04-10

This page lists every published CVE security advisory associated with Wikimedia Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Wikimedia Foundation — Vulnerabilities & Security Advisories 107