Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

miraheze — Vulnerabilities & Security Advisories 23

Browse all 23 CVE security advisories affecting miraheze. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Miraheze operates as a non-profit wiki hosting service, leveraging MediaWiki software to provide free, community-driven knowledge bases. With twenty-three recorded Common Vulnerabilities and Exposures, the platform has historically faced risks associated with its underlying open-source infrastructure. These vulnerabilities typically manifest as cross-site scripting, SQL injection, and privilege escalation flaws, often stemming from third-party extensions or outdated core components rather than fundamental architectural failures. Security incidents have generally been limited to localized exploitation attempts rather than widespread data breaches, reflecting the platform’s decentralized nature. The organization maintains a responsible disclosure policy, addressing reported issues through prompt patching and configuration hardening. While the high CVE count suggests a complex attack surface due to extensive plugin usage, the actual impact remains constrained by the platform’s read-heavy usage model and strict sandboxing of user-generated content, ensuring that most exploits require authenticated access or specific extension configurations to succeed.

Top products by miraheze: CreateWiki ManageWiki GlobalNewFiles DataDump WikiDiscover ImportDump TSPortal IncidentReporting DiscordNotifications
CVE IDTitleCVSSSeverityPublished
CVE-2026-33541 TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service — TSPortalCWE-400 6.5 Medium2026-03-26
CVE-2026-29788 TSPortal: Anyone can forge self-deletion requests of any user — TSPortalCWE-283 6.5 -2026-03-06
CVE-2025-53371 DiscordNotifications allows DOS, SSRF, and possible RCE through requests to user-controlled URLs — DiscordNotificationsCWE-400 9.1 Critical2025-07-10
CVE-2025-43861 ManageWiki Vulnerable to Self-XSS in review dialog via unsanitized field reflection — ManageWikiCWE-79 4.4 Medium2025-04-24
CVE-2025-32964 ManageWiki vulnerable to permission bypass when disabling extensions requiring certain permissions in Special:ManageWiki/extensions — ManageWikiCWE-285 4.6 Medium2025-04-22
CVE-2025-32956 ManageWiki has SQL injection vulnerability in NamespaceMigrationJob — ManageWikiCWE-89 8.0 High2025-04-21
CVE-2024-47815 Cross-site Scripting in IncidentReporting — IncidentReportingCWE-79 6.0 Medium2024-10-09
CVE-2024-47816 Users can impersonate import requesters if their actor IDs coincide in ImportDump — ImportDumpCWE-282 6.4 Medium2024-10-09
CVE-2024-47812 Cross-site Scripting (XSS) on Special:RequestImportQueue when displaying request date in ImportDump — ImportDumpCWE-79 6.0 Medium2024-10-09
CVE-2024-47781 Cross-site Scripting (XSS) in Special:RequestWikiQueue when displaying sitename in CreateWiki — CreateWikiCWE-79 5.4 -2024-10-07
CVE-2024-47782 Cross-site Scripting (XSS) in Special:WikiDiscover when displaying wiki information in WikiDiscover — WikiDiscoverCWE-79 7.6 High2024-10-07
CVE-2024-47612 XSS in Special:DataDump when displaying dump status — DataDumpCWE-79 3.5 Low2024-10-02
CVE-2024-34701 CreateWiki vulnerable to impersonation of wiki requester — CreateWikiCWE-863 5.9 Medium2024-05-13
CVE-2024-29898 Oversight in fix for GHSA-4rcf-3cj2-46mq may have exposed suppressed wiki requests on private wikis — CreateWikiCWE-200 4.9 Medium2024-03-28
CVE-2024-29897 CreateWiki Leak of suppressed wiki requests outside of `CreateWikiGlobalWiki` — CreateWikiCWE-200 4.9 Medium2024-03-28
CVE-2024-29883 CreateWiki's wiki request suppression ignores the suppression settings set by the suppressor — CreateWikiCWE-200 4.9 Medium2024-03-26
CVE-2024-25109 Cross-Site Scripting in the extensions, settings, permissions and namespaces subpages of ManageWiki — ManageWikiCWE-79 6.5 Medium2024-02-09
CVE-2024-25107 Cross-Site Scripting in WikiDiscover — WikiDiscoverCWE-79 4.9 Medium2024-02-08
CVE-2022-24813 Authentication Bypass Using an Alternate Path or Channel in CreateWiki — CreateWikiCWE-288 5.3 Medium2022-04-04
CVE-2021-39186 Improper Input Validation in GlobalNewFiles — GlobalNewFilesCWE-20 4.3 Medium2021-09-01
CVE-2021-32774 Cross-Site Request Forgery (CSRF) in DataDump — DataDumpCWE-352 6.1 Medium2021-07-20
CVE-2021-32722 Uncontrolled Resource Consumption in GlobalNewFiles — GlobalNewFilesCWE-400 6.5 Medium2021-06-28
CVE-2021-29483 wikiconfig API leaked private config variables set through ManageWiki — ManageWikiCWE-200 9.4 Critical2021-04-28

This page lists every published CVE security advisory associated with miraheze. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.