MediaWiki MediaWiki Wiki software powering Wikipedia

  1. Vendors
  2. MediaWiki

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any MediaWiki product.

RSS Feeds for MediaWiki security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in MediaWiki products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by MediaWiki Sorted by Most Security Vulnerabilities since 2018

MediaWiki232 vulnerabilities
Wiki Platform

MediaWiki Abusefilter4 vulnerabilities

MediaWiki Cargo4 vulnerabilities

MediaWiki Checkuser2 vulnerabilities

MediaWiki Mobilefrontend2 vulnerabilities

MediaWiki Createredirect1 vulnerability

MediaWiki Matomo1 vulnerability

Mediawiki Botquery Ext1 vulnerability

Rss For Mediawiki1 vulnerability

MediaWiki Score1 vulnerability

MediaWiki Semantic Drilldown1 vulnerability

MediaWiki Shortdescription1 vulnerability

MediaWiki Skin1 vulnerability

MediaWiki Visual Editor1 vulnerability

MediaWiki Wikisource Category Browser1 vulnerability

By the Year

In 2026 there have been 21 vulnerabilities in MediaWiki with an average score of 4.7 out of ten. Last year, in 2025 MediaWiki had 14 security vulnerabilities published. That is, 7 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.20.




Year Vulnerabilities Average Score
2026 21 4.70
2025 14 3.50
2024 33 6.05
2023 42 5.97
2022 37 6.55
2021 46 6.16
2020 34 6.31
2019 17 5.30
2018 4 5.65

It may take a day or so for new MediaWiki vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent MediaWiki Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-67481 Feb 03, 2026
MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.
MediaWiki
CVE-2025-67483 Feb 03, 2026
XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1.
MediaWiki
CVE-2025-67480 Feb 03, 2026
MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.
MediaWiki
CVE-2025-67475 Feb 03, 2026
MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.
MediaWiki
CVE-2025-67476 Feb 03, 2026
MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.
MediaWiki
CVE-2025-67477 Feb 03, 2026
MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.
MediaWiki
CVE-2025-67479 Feb 03, 2026
MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1.
MediaWiki
CVE-2025-61645 Feb 03, 2026
MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1.
MediaWiki
CVE-2025-61644 Feb 02, 2026
MediaWiki XSS via WatchlistTopSectionWidget.js Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca.
MediaWiki
CVE-2025-61637 Feb 02, 2026
MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
MediaWiki
CVE-2025-61639 Feb 02, 2026
MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
MediaWiki
CVE-2025-61641 Feb 02, 2026
MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal) Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
MediaWiki
CVE-2025-61642 Feb 02, 2026
MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
MediaWiki
CVE-2025-61643 Feb 02, 2026
MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
MediaWiki
CVE-2025-61634 Feb 02, 2026
MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
MediaWiki
CVE-2025-6590 Feb 02, 2026
MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0.
MediaWiki
CVE-2025-6591 Feb 02, 2026
MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.
MediaWiki
CVE-2025-6593 Feb 02, 2026
MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.
MediaWiki
CVE-2025-6594 Feb 02, 2026
MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.
MediaWiki
CVE-2025-6597 Feb 02, 2026
MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.
MediaWiki
CVE-2025-6927 Feb 02, 2026
MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php. This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.
MediaWiki
CVE-2025-12004 Oct 21, 2025
Mediawiki Lockdown Ext <1.42: Privilege Abuse via Incorrect Permission Assignment Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.
MediaWiki
CVE-2025-62701 Oct 21, 2025
Stored XSS in Mediawiki Wikistories before v1.44 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.
MediaWiki
CVE-2025-62698 Oct 20, 2025
MediaWiki ExternalGuidance Stored XSS before v1.39 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ExternalGuidance allows Stored XSS.This issue affects Mediawiki - ExternalGuidance: from master before 1.39.
MediaWiki
CVE-2025-62671 Oct 18, 2025
Mediawiki Cargo Extension Stored XSS Vulnerability Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: master.
MediaWiki
CVE-2025-53495 Jul 07, 2025
Missing Auth in MediaWiki AbuseFilter Ext: 1.43.X (<1.43.2) Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2.
Abusefilter
CVE-2025-53502 Jul 03, 2025
MediaWiki FeaturedFeeds Extension XSS (1.39-1.42-1.43) Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X.
MediaWiki
CVE-2025-49579 Jun 12, 2025
MediaWiki Citizen <3.3.1: Menu.mustache HTML Injection Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
MediaWiki
CVE-2025-49577 Jun 12, 2025
MediaWiki Citizen skin before 3.3.1 allows arbitrary HTML injection Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.
MediaWiki
CVE-2025-49575 Jun 12, 2025
MediaWiki Citizen skin 3.3.1: Arbitrary DOM insertion via raw HTML Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
MediaWiki
CVE-2025-32964 Apr 22, 2025
MediaWiki ManageWiki ext disabling restricted ext without rights (CVE-2025-32964) ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. A workaround involves ensuring that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions.
MediaWiki
CVE-2025-32073 Apr 11, 2025
Mediawiki – HTML Tags XSS (CVE-2025-32073) 1.39–1.43 Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).This issue affects Mediawiki - HTML Tags: from 1.39 through 1.43.
MediaWiki
CVE-2025-32078 Apr 11, 2025
MediaWiki Version Compare XSS via Improper Escaping (1.39-1.43) Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43.
MediaWiki
CVE-2025-25287 Feb 13, 2025
MediaWiki Lakeus Skin XSS via system messages (1.0.8-1.4.0) Lakeus is a simple skin made for MediaWiki. Starting in version 1.0.8 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with `(editinterface)` rights can edit system messages that are improperly handled in order to send raw HTML. In the case of `lakeus-footermessage`, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch.
MediaWiki
CVE-2025-23073 Jan 14, 2025
MediaWiki GlobalBlocking Ext: Sensitive Info Leak to Unauthorized Actor Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. This issue briefly impacted the master branch of MediaWikis GlobalBlocking Extension.
MediaWiki
CVE-2024-47815 Oct 09, 2024
CVE-2024-47815: XSS in MediaWiki Extension IncidentReporting IncidentReporting is a MediaWiki extension for moving incident reports from wikitext to database tables. There are a variety of Cross-site Scripting issues, though all of them require elevated permissions. Some are available to anyone who has the `editincidents` right, some are available to those who can edit interface messages (typically administrators and interface admins), and one is available to those who can edit LocalSettings.php. These issues have been addressed in commit `43896a4` and all users are advised to upgrade. Users unable to upgrade should prevent access to the Special:IncidentReports page.
MediaWiki
CVE-2023-45359 Oct 09, 2024
Unescaped vector-toc-toggle-button-label in MediaWiki <1.39.5/1.40.0 vector skin An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but should be, because the line param can have markup.
MediaWiki
CVE-2023-45361 Oct 09, 2024
MediaWiki Vector Skin MalformedTitleException <1.39.5/1.40.1 An issue was discovered in VectorComponentUserLinks.php in the Vector Skin component in MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-intro-page MalformedTitleException is uncaught if it is not a valid title, leading to incorrect web pages.
MediaWiki
CVE-2024-47849 Oct 05, 2024
MediaWiki Cargo SQLi Before 3.6.1 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
Cargo
CVE-2024-47847 Oct 05, 2024
Mediawiki Cargo XSS before 3.6.1 (Improper Neutralization) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
Cargo
CVE-2024-47846 Oct 05, 2024
MediaWiki-Cargo 3.6.X CSRF Vulnerability (before 3.6.1) Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
Cargo
CVE-2024-47840 Oct 05, 2024
MediaWiki Apex Skin Stored XSS before 1.42.2 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Apex skin allows Stored XSS.This issue affects Mediawiki - Apex skin: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
MediaWiki
CVE-2024-47845 Oct 05, 2024
Mediawiki CSS Ext Encoding Flaw -> Code Injection (1.42.x < 1.42.2) Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
MediaWiki
CVE-2024-47913 Oct 04, 2024
AbuseFilter Ext <1.42.2: Unauth API Log Exposure An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter.
MediaWiki
CVE-2024-47536 Sep 30, 2024
MediaWiki (Citizen Skin) XSS via real name before v2.31.0 Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.
MediaWiki
CVE-2024-40605 Jul 07, 2024
MediaWiki Foreground Skin <=1.42.1 Stored XSS via Sidebar Entries An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.
MediaWiki
CVE-2024-40604 Jul 07, 2024
MediaWiki Nimbus skin <1.42.1 Stored XSS sidebar An issue was discovered in the Nimbus skin for MediaWiki through 1.42.1. There is Stored XSS via MediaWiki:Nimbus-sidebar menu and submenu entries.
MediaWiki
CVE-2024-40603 Jul 07, 2024
MediaWiki ArticleRatings <=1.42.1 CSRF via GET on Special:ChangeRating An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter data via a GET request.
MediaWiki
CVE-2024-40601 Jul 07, 2024
MediaWikiChat API CSRF before 1.42.2 An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules.
MediaWiki
CVE-2024-40599 Jul 07, 2024
MediaWiki GuMaxDD Skin XSS via Sidebar (before 1.42.2) An issue was discovered in the GuMaxDD skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.
MediaWiki
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.