Dokuwiki
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Dokuwiki.
By the Year
In 2026 there have been 2 vulnerabilities in Dokuwiki with an average score of 6.4 out of ten. Last year, in 2025 Dokuwiki had 1 security vulnerability published. That is, 1 more vulnerability have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.10
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 6.40 |
| 2025 | 1 | 6.50 |
| 2024 | 1 | 0.00 |
| 2023 | 1 | 5.40 |
| 2022 | 2 | 6.10 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 0.00 |
It may take a day or so for new Dokuwiki vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Dokuwiki Security Vulnerabilities
DokuWiki Denial of Service via media_upload_xhr (CVE-2026-26477)
CVE-2026-26477
7.5 - High
- April 03, 2026
An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file
Allocation of Resources Without Limits or Throttling
DokuWiki username enumeration via password reset (CVE-2019-25338)
CVE-2019-25338
5.3 - Medium
- February 12, 2026
DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server's error response messages.
Observable Response Discrepancy
XSS in DokuWiki 2025-05-14a Librarian via q param
CVE-2025-61224
6.5 - Medium
- October 06, 2025
Cross Site Scripting vulnerability in DokuWiki 2025-05-14a 'Librarian'[56.1] allows a remote attacker to execute arbitrary code via the q parameter
XSS
Arbitrary File Upload in DokuWiki Media Manager SVG Exploit
CVE-2024-33103
- April 30, 2024
An arbitrary file upload vulnerability in the Media Manager component of DokuWiki 2024-02-06a allows attackers to execute arbitrary code by uploading a crafted SVG file. NOTE: as noted in the 4267 issue reference, there is a position that exploitability can only occur with a misconfiguration of the product.
DokuWiki XSS via RSS title (pre-2023-04-04a)
CVE-2023-34408
5.4 - Medium
- June 05, 2023
DokuWiki before 2023-04-04a allows XSS via RSS titles.
XSS
Dokuwiki XSS Reflected Vulnerability in splitbrain/dokuwiki
CVE-2022-3123
6.1 - Medium
- September 05, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a.
XSS
HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability
CVE-2022-28919
6.1 - Medium
- May 12, 2022
HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename.
XSS
CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value
CVE-2018-15474
- September 07, 2018
CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki.
