MediaWiki Wiki Platform

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in MediaWiki.

MediaWiki EOL Dates

Ensure that you are using a supported version of MediaWiki. Here are some end of life, and end of support dates for MediaWiki.

Release	EOL Date	Status
1.45	December 31, 2026	EOL This Year MediaWiki 1.45 will become EOL this year, in December 2026.
1.44	July 31, 2026	EOL This Year MediaWiki 1.44 will become EOL this year, in July 2026.
1.43	December 31, 2027	Active MediaWiki 1.43 will become EOL next year, in December 2027.
1.42	June 30, 2025	EOL MediaWiki 1.42 became EOL in 2025.
1.41	December 31, 2024	EOL MediaWiki 1.41 became EOL in 2024.
1.40	June 28, 2024	EOL MediaWiki 1.40 became EOL in 2024.
1.39	December 31, 2025	EOL MediaWiki 1.39 became EOL in 2025.
1.38	June 30, 2023	EOL MediaWiki 1.38 became EOL in 2023.
1.37	November 30, 2022	EOL MediaWiki 1.37 became EOL in 2022.
1.36	June 3, 2022	EOL MediaWiki 1.36 became EOL in 2022.
1.35	December 21, 2023	EOL MediaWiki 1.35 became EOL in 2023.
1.34	November 30, 2020	EOL MediaWiki 1.34 became EOL in 2020.
1.33	June 30, 2020	EOL MediaWiki 1.33 became EOL in 2020.
1.32	January 24, 2020	EOL MediaWiki 1.32 became EOL in 2020.
1.31	September 30, 2021	EOL MediaWiki 1.31 became EOL in 2021.

By the Year

In 2026 there have been 21 vulnerabilities in MediaWiki with an average score of 4.7 out of ten. Last year, in 2025 MediaWiki had 13 security vulnerabilities published. That is, 8 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.20.

Year	Vulnerabilities	Average Score
2026	21	4.70
2025	13	3.50
2024	30	5.76
2023	39	5.85
2022	33	6.56
2021	46	6.16
2020	30	6.31
2019	12	5.30
2018	4	5.65

It may take a day or so for new MediaWiki vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent MediaWiki Security Vulnerabilities

MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1
CVE-2025-67481 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

XSS

XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1)
CVE-2025-67483 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1.

XSS

MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1
CVE-2025-67480 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Improper Input Validation

MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16)
CVE-2025-67475 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

XSS

MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE
CVE-2025-67476 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1
CVE-2025-67477 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

XSS

MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE
CVE-2025-67479 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1.

MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK)
CVE-2025-61645 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1.

XSS

MediaWiki XSS via WatchlistTopSectionWidget.js
CVE-2025-61644 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca.

XSS

MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61637 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1
CVE-2025-61639 - February 02, 2026

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Information Disclosure

MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal)
CVE-2025-61641 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Directory traversal

MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1
CVE-2025-61642 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1
CVE-2025-61643 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1
CVE-2025-61634 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField
CVE-2025-6590 - February 02, 2026

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0.

Information Disclosure

MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0
CVE-2025-6591 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.

XSS

MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0
CVE-2025-6593 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Information Disclosure

MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0
CVE-2025-6594 4.7 - Medium - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

XSS

MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0
CVE-2025-6597 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.

Directory traversal

MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability
CVE-2025-6927 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php. This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Directory traversal

Mediawiki Lockdown Ext <1.42: Privilege Abuse via Incorrect Permission Assignment
CVE-2025-12004 - October 21, 2025

Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.

Incorrect Permission Assignment for Critical Resource

Stored XSS in Mediawiki Wikistories before v1.44
CVE-2025-62701 - October 21, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.

XSS

MediaWiki ExternalGuidance Stored XSS before v1.39
CVE-2025-62698 - October 20, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ExternalGuidance allows Stored XSS.This issue affects Mediawiki - ExternalGuidance: from master before 1.39.

XSS

Mediawiki Cargo Extension Stored XSS Vulnerability
CVE-2025-62671 - October 18, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: master.

XSS

MediaWiki FeaturedFeeds Extension XSS (1.39-1.42-1.43)
CVE-2025-53502 - July 03, 2025

Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X.

MediaWiki Citizen skin 3.3.1: Arbitrary DOM insertion via raw HTML
CVE-2025-49575 - June 12, 2025

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.

XSS

MediaWiki Citizen skin before 3.3.1 allows arbitrary HTML injection
CVE-2025-49577 - June 12, 2025

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.

XSS

MediaWiki Citizen <3.3.1: Menu.mustache HTML Injection
CVE-2025-49579 - June 12, 2025

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.

XSS

MediaWiki ManageWiki ext disabling restricted ext without rights (CVE-2025-32964)
CVE-2025-32964 - April 22, 2025

ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. A workaround involves ensuring that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions.

AuthZ

Mediawiki – HTML Tags XSS (CVE-2025-32073) 1.39–1.43
CVE-2025-32073 - April 11, 2025

Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).This issue affects Mediawiki - HTML Tags: from 1.39 through 1.43.

MediaWiki Version Compare XSS via Improper Escaping (1.39-1.43)
CVE-2025-32078 - April 11, 2025

Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43.

MediaWiki Lakeus Skin XSS via system messages (1.0.8-1.4.0)
CVE-2025-25287 - February 13, 2025

Lakeus is a simple skin made for MediaWiki. Starting in version 1.0.8 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with `(editinterface)` rights can edit system messages that are improperly handled in order to send raw HTML. In the case of `lakeus-footermessage`, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch.

XSS

MediaWiki GlobalBlocking Ext: Sensitive Info Leak to Unauthorized Actor
CVE-2025-23073 3.5 - Low - January 14, 2025

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. This issue briefly impacted the master branch of MediaWikis GlobalBlocking Extension.

Information Disclosure

CVE-2024-47815: XSS in MediaWiki Extension IncidentReporting
CVE-2024-47815 - October 09, 2024

IncidentReporting is a MediaWiki extension for moving incident reports from wikitext to database tables. There are a variety of Cross-site Scripting issues, though all of them require elevated permissions. Some are available to anyone who has the `editincidents` right, some are available to those who can edit interface messages (typically administrators and interface admins), and one is available to those who can edit LocalSettings.php. These issues have been addressed in commit `43896a4` and all users are advised to upgrade. Users unable to upgrade should prevent access to the Special:IncidentReports page.

XSS

Unescaped vector-toc-toggle-button-label in MediaWiki <1.39.5/1.40.0 vector skin
CVE-2023-45359 - October 09, 2024

An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but should be, because the line param can have markup.

MediaWiki Vector Skin MalformedTitleException <1.39.5/1.40.1
CVE-2023-45361 - October 09, 2024

An issue was discovered in VectorComponentUserLinks.php in the Vector Skin component in MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-intro-page MalformedTitleException is uncaught if it is not a valid title, leading to incorrect web pages.

MediaWiki Apex Skin Stored XSS before 1.42.2
CVE-2024-47840 4.8 - Medium - October 05, 2024

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Apex skin allows Stored XSS.This issue affects Mediawiki - Apex skin: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

XSS

Mediawiki CSS Ext Encoding Flaw -> Code Injection (1.42.x < 1.42.2)
CVE-2024-47845 8.2 - High - October 05, 2024

Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Output Sanitization

AbuseFilter Ext <1.42.2: Unauth API Log Exposure
CVE-2024-47913 - October 04, 2024

An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter.

MediaWiki (Citizen Skin) XSS via real name before v2.31.0
CVE-2024-47536 - September 30, 2024

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.

XSS

MediaWikiChat API CSRF before 1.42.2
CVE-2024-40601 6.5 - Medium - July 07, 2024

An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules.

Session Riding

MediaWiki ArticleRatings <=1.42.1 CSRF via GET on Special:ChangeRating
CVE-2024-40603 4.3 - Medium - July 07, 2024

An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter data via a GET request.

Session Riding

Exposed Suppressed Log Events in MediaWiki CheckUser Extension v1.42.1
CVE-2024-40596 4.3 - Medium - July 07, 2024

An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The Special:Investigate feature can expose suppressed information for log events. (TimelineService does not support properly suppressing.)

Insertion of Sensitive Information into Log File

MediaWiki CheckUser Exposes Suppressed Log Events (1.42.1)
CVE-2024-40598 4.3 - Medium - July 07, 2024

An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log events. (The log_deleted attribute is not applied to entries.)

Insertion of Sensitive Information into Log File

Stored XSS in MediaWiki Tempo skin via MediaWiki:Sidebar before 1.42.1
CVE-2024-40602 4.8 - Medium - July 07, 2024

An issue was discovered in the Tempo skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

XSS

MediaWiki Nimbus skin <1.42.1 Stored XSS sidebar
CVE-2024-40604 4.8 - Medium - July 07, 2024

An issue was discovered in the Nimbus skin for MediaWiki through 1.42.1. There is Stored XSS via MediaWiki:Nimbus-sidebar menu and submenu entries.

XSS

MediaWiki Foreground Skin <=1.42.1 Stored XSS via Sidebar Entries
CVE-2024-40605 4.8 - Medium - July 07, 2024

An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

XSS

MediaWiki GuMaxDD Skin XSS via Sidebar (before 1.42.2)
CVE-2024-40599 4.8 - Medium - July 07, 2024

An issue was discovered in the GuMaxDD skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

XSS

MediaWiki Metrolook Stored XSS via Sidebar (1.42.1)
CVE-2024-40600 4.8 - Medium - July 07, 2024

An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for MediaWiki or by MediaWiki? Click the Watch button to subscribe.

MediaWiki
Vendor

MediaWiki
Wiki Platform

MediaWiki Wiki Platform

Don't miss out!

MediaWiki EOL Dates

By the Year

Recent MediaWiki Security Vulnerabilities

MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1 CVE-2025-67481 - February 03, 2026

XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1) CVE-2025-67483 - February 03, 2026

MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1 CVE-2025-67480 - February 03, 2026

MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16) CVE-2025-67475 - February 03, 2026

MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE CVE-2025-67476 - February 03, 2026

MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1 CVE-2025-67477 - February 03, 2026

MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE CVE-2025-67479 - February 03, 2026

MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK) CVE-2025-61645 - February 03, 2026

MediaWiki XSS via WatchlistTopSectionWidget.js CVE-2025-61644 - February 02, 2026

MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1) CVE-2025-61637 - February 02, 2026

MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1 CVE-2025-61639 - February 02, 2026

MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal) CVE-2025-61641 - February 02, 2026

MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1 CVE-2025-61642 - February 02, 2026

MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1 CVE-2025-61643 - February 02, 2026

MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1 CVE-2025-61634 - February 02, 2026

MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField CVE-2025-6590 - February 02, 2026

MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0 CVE-2025-6591 - February 02, 2026

MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0 CVE-2025-6593 - February 02, 2026

MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0 CVE-2025-6594 4.7 - Medium - February 02, 2026

MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0 CVE-2025-6597 - February 02, 2026

MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability CVE-2025-6927 - February 02, 2026

Mediawiki Lockdown Ext <1.42: Privilege Abuse via Incorrect Permission Assignment CVE-2025-12004 - October 21, 2025

Stored XSS in Mediawiki Wikistories before v1.44 CVE-2025-62701 - October 21, 2025

MediaWiki ExternalGuidance Stored XSS before v1.39 CVE-2025-62698 - October 20, 2025

Mediawiki Cargo Extension Stored XSS Vulnerability CVE-2025-62671 - October 18, 2025

MediaWiki FeaturedFeeds Extension XSS (1.39-1.42-1.43) CVE-2025-53502 - July 03, 2025

MediaWiki Citizen skin 3.3.1: Arbitrary DOM insertion via raw HTML CVE-2025-49575 - June 12, 2025

MediaWiki Citizen skin before 3.3.1 allows arbitrary HTML injection CVE-2025-49577 - June 12, 2025

MediaWiki Citizen <3.3.1: Menu.mustache HTML Injection CVE-2025-49579 - June 12, 2025

MediaWiki ManageWiki ext disabling restricted ext without rights (CVE-2025-32964) CVE-2025-32964 - April 22, 2025

Mediawiki – HTML Tags XSS (CVE-2025-32073) 1.39–1.43 CVE-2025-32073 - April 11, 2025

MediaWiki Version Compare XSS via Improper Escaping (1.39-1.43) CVE-2025-32078 - April 11, 2025

MediaWiki Lakeus Skin XSS via system messages (1.0.8-1.4.0) CVE-2025-25287 - February 13, 2025

MediaWiki GlobalBlocking Ext: Sensitive Info Leak to Unauthorized Actor CVE-2025-23073 3.5 - Low - January 14, 2025

CVE-2024-47815: XSS in MediaWiki Extension IncidentReporting CVE-2024-47815 - October 09, 2024

Unescaped vector-toc-toggle-button-label in MediaWiki <1.39.5/1.40.0 vector skin CVE-2023-45359 - October 09, 2024

MediaWiki Vector Skin MalformedTitleException <1.39.5/1.40.1 CVE-2023-45361 - October 09, 2024

MediaWiki Apex Skin Stored XSS before 1.42.2 CVE-2024-47840 4.8 - Medium - October 05, 2024

Mediawiki CSS Ext Encoding Flaw -> Code Injection (1.42.x < 1.42.2) CVE-2024-47845 8.2 - High - October 05, 2024

AbuseFilter Ext <1.42.2: Unauth API Log Exposure CVE-2024-47913 - October 04, 2024

MediaWiki (Citizen Skin) XSS via real name before v2.31.0 CVE-2024-47536 - September 30, 2024

MediaWikiChat API CSRF before 1.42.2 CVE-2024-40601 6.5 - Medium - July 07, 2024

MediaWiki ArticleRatings <=1.42.1 CSRF via GET on Special:ChangeRating CVE-2024-40603 4.3 - Medium - July 07, 2024

Exposed Suppressed Log Events in MediaWiki CheckUser Extension v1.42.1 CVE-2024-40596 4.3 - Medium - July 07, 2024

MediaWiki CheckUser Exposes Suppressed Log Events (1.42.1) CVE-2024-40598 4.3 - Medium - July 07, 2024

Stored XSS in MediaWiki Tempo skin via MediaWiki:Sidebar before 1.42.1 CVE-2024-40602 4.8 - Medium - July 07, 2024

MediaWiki Nimbus skin <1.42.1 Stored XSS sidebar CVE-2024-40604 4.8 - Medium - July 07, 2024

MediaWiki Foreground Skin <=1.42.1 Stored XSS via Sidebar Entries CVE-2024-40605 4.8 - Medium - July 07, 2024

MediaWiki GuMaxDD Skin XSS via Sidebar (before 1.42.2) CVE-2024-40599 4.8 - Medium - July 07, 2024

MediaWiki Metrolook Stored XSS via Sidebar (1.42.1) CVE-2024-40600 4.8 - Medium - July 07, 2024

Stay on top of Security Vulnerabilities

MediaWiki Vendor

MediaWikiWiki Platform

MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1
CVE-2025-67481 - February 03, 2026

XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1)
CVE-2025-67483 - February 03, 2026

MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1
CVE-2025-67480 - February 03, 2026

MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16)
CVE-2025-67475 - February 03, 2026

MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE
CVE-2025-67476 - February 03, 2026

MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1
CVE-2025-67477 - February 03, 2026

MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE
CVE-2025-67479 - February 03, 2026

MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK)
CVE-2025-61645 - February 03, 2026

MediaWiki XSS via WatchlistTopSectionWidget.js
CVE-2025-61644 - February 02, 2026

MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61637 - February 02, 2026

MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1
CVE-2025-61639 - February 02, 2026

MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal)
CVE-2025-61641 - February 02, 2026

MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1
CVE-2025-61642 - February 02, 2026

MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1
CVE-2025-61643 - February 02, 2026

MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1
CVE-2025-61634 - February 02, 2026

MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField
CVE-2025-6590 - February 02, 2026

MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0
CVE-2025-6591 - February 02, 2026

MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0
CVE-2025-6593 - February 02, 2026

MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0
CVE-2025-6594 4.7 - Medium - February 02, 2026

MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0
CVE-2025-6597 - February 02, 2026

MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability
CVE-2025-6927 - February 02, 2026

Mediawiki Lockdown Ext <1.42: Privilege Abuse via Incorrect Permission Assignment
CVE-2025-12004 - October 21, 2025

Stored XSS in Mediawiki Wikistories before v1.44
CVE-2025-62701 - October 21, 2025

MediaWiki ExternalGuidance Stored XSS before v1.39
CVE-2025-62698 - October 20, 2025

Mediawiki Cargo Extension Stored XSS Vulnerability
CVE-2025-62671 - October 18, 2025

MediaWiki FeaturedFeeds Extension XSS (1.39-1.42-1.43)
CVE-2025-53502 - July 03, 2025

MediaWiki Citizen skin 3.3.1: Arbitrary DOM insertion via raw HTML
CVE-2025-49575 - June 12, 2025

MediaWiki Citizen skin before 3.3.1 allows arbitrary HTML injection
CVE-2025-49577 - June 12, 2025

MediaWiki Citizen <3.3.1: Menu.mustache HTML Injection
CVE-2025-49579 - June 12, 2025

MediaWiki ManageWiki ext disabling restricted ext without rights (CVE-2025-32964)
CVE-2025-32964 - April 22, 2025

Mediawiki – HTML Tags XSS (CVE-2025-32073) 1.39–1.43
CVE-2025-32073 - April 11, 2025

MediaWiki Version Compare XSS via Improper Escaping (1.39-1.43)
CVE-2025-32078 - April 11, 2025

MediaWiki Lakeus Skin XSS via system messages (1.0.8-1.4.0)
CVE-2025-25287 - February 13, 2025

MediaWiki GlobalBlocking Ext: Sensitive Info Leak to Unauthorized Actor
CVE-2025-23073 3.5 - Low - January 14, 2025

CVE-2024-47815: XSS in MediaWiki Extension IncidentReporting
CVE-2024-47815 - October 09, 2024

Unescaped vector-toc-toggle-button-label in MediaWiki <1.39.5/1.40.0 vector skin
CVE-2023-45359 - October 09, 2024

MediaWiki Vector Skin MalformedTitleException <1.39.5/1.40.1
CVE-2023-45361 - October 09, 2024

MediaWiki Apex Skin Stored XSS before 1.42.2
CVE-2024-47840 4.8 - Medium - October 05, 2024

Mediawiki CSS Ext Encoding Flaw -> Code Injection (1.42.x < 1.42.2)
CVE-2024-47845 8.2 - High - October 05, 2024

AbuseFilter Ext <1.42.2: Unauth API Log Exposure
CVE-2024-47913 - October 04, 2024

MediaWiki (Citizen Skin) XSS via real name before v2.31.0
CVE-2024-47536 - September 30, 2024

MediaWikiChat API CSRF before 1.42.2
CVE-2024-40601 6.5 - Medium - July 07, 2024

MediaWiki ArticleRatings <=1.42.1 CSRF via GET on Special:ChangeRating
CVE-2024-40603 4.3 - Medium - July 07, 2024

Exposed Suppressed Log Events in MediaWiki CheckUser Extension v1.42.1
CVE-2024-40596 4.3 - Medium - July 07, 2024

MediaWiki CheckUser Exposes Suppressed Log Events (1.42.1)
CVE-2024-40598 4.3 - Medium - July 07, 2024

Stored XSS in MediaWiki Tempo skin via MediaWiki:Sidebar before 1.42.1
CVE-2024-40602 4.8 - Medium - July 07, 2024

MediaWiki Nimbus skin <1.42.1 Stored XSS sidebar
CVE-2024-40604 4.8 - Medium - July 07, 2024

MediaWiki Foreground Skin <=1.42.1 Stored XSS via Sidebar Entries
CVE-2024-40605 4.8 - Medium - July 07, 2024

MediaWiki GuMaxDD Skin XSS via Sidebar (before 1.42.2)
CVE-2024-40599 4.8 - Medium - July 07, 2024

MediaWiki Metrolook Stored XSS via Sidebar (1.42.1)
CVE-2024-40600 4.8 - Medium - July 07, 2024

MediaWiki
Vendor

MediaWiki
Wiki Platform