MediaWiki Wiki Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in MediaWiki.
MediaWiki EOL Dates
Ensure that you are using a supported version of MediaWiki. Here are some end of life, and end of support dates for MediaWiki.
| Release | EOL Date | Status |
|---|---|---|
| 1.44 | June 30, 2026 |
Active
MediaWiki 1.44 will become EOL next year, in June 2026. |
| 1.43 | December 31, 2027 |
Active
MediaWiki 1.43 will become EOL in two years (in 2027). |
| 1.42 | June 30, 2025 |
EOL
MediaWiki 1.42 became EOL in 2025. |
| 1.41 | December 31, 2024 |
EOL
MediaWiki 1.41 became EOL in 2024. |
| 1.40 | June 28, 2024 |
EOL
MediaWiki 1.40 became EOL in 2024. |
| 1.39 | December 31, 2025 |
EOL This Year
MediaWiki 1.39 will become EOL this year, in December 2025. |
| 1.38 | June 30, 2023 |
EOL
MediaWiki 1.38 became EOL in 2023. |
| 1.37 | November 30, 2022 |
EOL
MediaWiki 1.37 became EOL in 2022. |
| 1.36 | June 3, 2022 |
EOL
MediaWiki 1.36 became EOL in 2022. |
| 1.35 | December 21, 2023 |
EOL
MediaWiki 1.35 became EOL in 2023. |
| 1.34 | November 30, 2020 |
EOL
MediaWiki 1.34 became EOL in 2020. |
| 1.33 | June 30, 2020 |
EOL
MediaWiki 1.33 became EOL in 2020. |
| 1.32 | January 24, 2020 |
EOL
MediaWiki 1.32 became EOL in 2020. |
| 1.31 | September 30, 2021 |
EOL
MediaWiki 1.31 became EOL in 2021. |
By the Year
In 2025 there have been 13 vulnerabilities in MediaWiki with an average score of 3.5 out of ten. Last year, in 2024 MediaWiki had 30 security vulnerabilities published. Right now, MediaWiki is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 2.26
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 13 | 3.50 |
| 2024 | 30 | 5.76 |
| 2023 | 38 | 5.85 |
| 2022 | 33 | 6.56 |
| 2021 | 46 | 6.16 |
| 2020 | 30 | 6.30 |
| 2019 | 12 | 6.92 |
| 2018 | 4 | 5.65 |
It may take a day or so for new MediaWiki vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent MediaWiki Security Vulnerabilities
Mediawiki Lockdown Ext <1.42: Privilege Abuse via Incorrect Permission Assignment
CVE-2025-12004
- October 21, 2025
Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.
Incorrect Permission Assignment for Critical Resource
Stored XSS in Mediawiki Wikistories before v1.44
CVE-2025-62701
- October 21, 2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.
XSS
MediaWiki ExternalGuidance Stored XSS before v1.39
CVE-2025-62698
- October 20, 2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ExternalGuidance allows Stored XSS.This issue affects Mediawiki - ExternalGuidance: from master before 1.39.
XSS
Mediawiki Cargo Extension Stored XSS Vulnerability
CVE-2025-62671
- October 18, 2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: master.
XSS
MediaWiki FeaturedFeeds Extension XSS (1.39-1.42-1.43)
CVE-2025-53502
- July 03, 2025
Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X.
MediaWiki Citizen skin 3.3.1: Arbitrary DOM insertion via raw HTML
CVE-2025-49575
- June 12, 2025
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
XSS
MediaWiki Citizen skin before 3.3.1 allows arbitrary HTML injection
CVE-2025-49577
- June 12, 2025
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.
XSS
MediaWiki Citizen <3.3.1: Menu.mustache HTML Injection
CVE-2025-49579
- June 12, 2025
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
XSS
MediaWiki ManageWiki ext disabling restricted ext without rights (CVE-2025-32964)
CVE-2025-32964
- April 22, 2025
ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. A workaround involves ensuring that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions.
AuthZ
Mediawiki – HTML Tags XSS (CVE-2025-32073) 1.39–1.43
CVE-2025-32073
- April 11, 2025
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).This issue affects Mediawiki - HTML Tags: from 1.39 through 1.43.
MediaWiki Version Compare XSS via Improper Escaping (1.39-1.43)
CVE-2025-32078
- April 11, 2025
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43.
MediaWiki Lakeus Skin XSS via system messages (1.0.8-1.4.0)
CVE-2025-25287
- February 13, 2025
Lakeus is a simple skin made for MediaWiki. Starting in version 1.0.8 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with `(editinterface)` rights can edit system messages that are improperly handled in order to send raw HTML. In the case of `lakeus-footermessage`, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch.
XSS
MediaWiki GlobalBlocking Ext: Sensitive Info Leak to Unauthorized Actor
CVE-2025-23073
3.5 - Low
- January 14, 2025
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. This issue briefly impacted the master branch of MediaWikis GlobalBlocking Extension.
Information Disclosure
CVE-2024-47815: XSS in MediaWiki Extension IncidentReporting
CVE-2024-47815
- October 09, 2024
IncidentReporting is a MediaWiki extension for moving incident reports from wikitext to database tables. There are a variety of Cross-site Scripting issues, though all of them require elevated permissions. Some are available to anyone who has the `editincidents` right, some are available to those who can edit interface messages (typically administrators and interface admins), and one is available to those who can edit LocalSettings.php. These issues have been addressed in commit `43896a4` and all users are advised to upgrade. Users unable to upgrade should prevent access to the Special:IncidentReports page.
XSS
Unescaped vector-toc-toggle-button-label in MediaWiki <1.39.5/1.40.0 vector skin
CVE-2023-45359
- October 09, 2024
An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but should be, because the line param can have markup.
MediaWiki Vector Skin MalformedTitleException <1.39.5/1.40.1
CVE-2023-45361
- October 09, 2024
An issue was discovered in VectorComponentUserLinks.php in the Vector Skin component in MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-intro-page MalformedTitleException is uncaught if it is not a valid title, leading to incorrect web pages.
MediaWiki Apex Skin Stored XSS before 1.42.2
CVE-2024-47840
4.8 - Medium
- October 05, 2024
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Apex skin allows Stored XSS.This issue affects Mediawiki - Apex skin: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
XSS
Mediawiki CSS Ext Encoding Flaw -> Code Injection (1.42.x < 1.42.2)
CVE-2024-47845
8.2 - High
- October 05, 2024
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
Output Sanitization
AbuseFilter Ext <1.42.2: Unauth API Log Exposure
CVE-2024-47913
- October 04, 2024
An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter.
MediaWiki (Citizen Skin) XSS via real name before v2.31.0
CVE-2024-47536
- September 30, 2024
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.
XSS
MediaWiki Foreground Skin <=1.42.1 Stored XSS via Sidebar Entries
CVE-2024-40605
4.8 - Medium
- July 07, 2024
An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.
XSS
MediaWiki CheckUser Ext 1.42.1 Log Suppression Bypass
CVE-2024-40597
- July 07, 2024
An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. It can expose suppressed information for log events. (The log_deleted attribute is not respected.)
MediaWikiChat API CSRF before 1.42.2
CVE-2024-40601
6.5 - Medium
- July 07, 2024
An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules.
Session Riding
Exposed Suppressed Log Events in MediaWiki CheckUser Extension v1.42.1
CVE-2024-40596
4.3 - Medium
- July 07, 2024
An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The Special:Investigate feature can expose suppressed information for log events. (TimelineService does not support properly suppressing.)
Insertion of Sensitive Information into Log File
MediaWiki CheckUser Exposes Suppressed Log Events (1.42.1)
CVE-2024-40598
4.3 - Medium
- July 07, 2024
An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log events. (The log_deleted attribute is not applied to entries.)
Insertion of Sensitive Information into Log File
MediaWiki GuMaxDD Skin XSS via Sidebar (before 1.42.2)
CVE-2024-40599
4.8 - Medium
- July 07, 2024
An issue was discovered in the GuMaxDD skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.
XSS
MediaWiki Metrolook Stored XSS via Sidebar (1.42.1)
CVE-2024-40600
4.8 - Medium
- July 07, 2024
An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.
XSS
Stored XSS in MediaWiki Tempo skin via MediaWiki:Sidebar before 1.42.1
CVE-2024-40602
4.8 - Medium
- July 07, 2024
An issue was discovered in the Tempo skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.
XSS
MediaWiki ArticleRatings <=1.42.1 CSRF via GET on Special:ChangeRating
CVE-2024-40603
4.3 - Medium
- July 07, 2024
An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter data via a GET request.
Session Riding
MediaWiki Nimbus skin <1.42.1 Stored XSS sidebar
CVE-2024-40604
4.8 - Medium
- July 07, 2024
An issue was discovered in the Nimbus skin for MediaWiki through 1.42.1. There is Stored XSS via MediaWiki:Nimbus-sidebar menu and submenu entries.
XSS
MediaWiki XSS via unescaped MediaWiki:Tagline in Citizen skin (fixed 2.16.0)
CVE-2024-36123
- June 03, 2024
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page `MediaWiki:Tagline` has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the `editinterface` permission, or sysops). This vulnerability is fixed in 2.16.0.
MediaWiki WikibaseLexeme MergeLexemes unauth edit <1.41.1
CVE-2024-34502
9.8 - Critical
- May 05, 2024
An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token.
Session Riding
DoS via SpecialMovePage in MediaWiki <1.39.7/1.40.3/1.41.1
CVE-2024-34506
7.5 - High
- May 05, 2024
An issue was discovered in includes/specials/SpecialMovePage.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. If a user with the necessary rights to move the page opens Special:MovePage for a page with tens of thousands of subpages, then the page will exceed the maximum request time, leading to a denial of service.
Resource Exhaustion
MediaWiki XSS via CommentParser.php before v1.39.7/1.40.3/1.41.1
CVE-2024-34507
7.4 - High
- May 05, 2024
An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. XSS can occur because of mishandling of the 0x1b character, as demonstrated by Special:RecentChanges#%1b0000000.
Basic XSS
MediaWiki UnlinkedWikibase XSS via unescaped error messages before 1.41.1
CVE-2024-34500
6.1 - Medium
- May 05, 2024
An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.
XSS
MediaWiki ManageWiki XSS via unescaped interface messages (CVE-2024-25109)
CVE-2024-25109
5.4 - Medium
- February 09, 2024
ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the `columns` and `help` keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires the `(editinterface)` right. Users should apply the code changes in commits `886cc6b94`, `2ef0f50880`, and `6942e8b2c` to resolve this vulnerability. There are no known workarounds for this vulnerability.
XSS
MediaWiki GlobalBlocking Ext XSS via i18n before 1.40.2
CVE-2024-23179
6.1 - Medium
- January 12, 2024
An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks.
XSS
MediaWiki <1.40.2 Phonos XSS via PhonosButton.js i18n message
CVE-2024-23178
5.4 - Medium
- January 12, 2024
An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message.
XSS
MediaWiki WatchAnalytics XSS via Special:PageStatistics before 1.40.2
CVE-2024-23177
6.1 - Medium
- January 12, 2024
An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter.
XSS
MediaWiki CampaignEvents XSS via i18n (x-xss) before 1.40.2
CVE-2024-23171
5.4 - Medium
- January 12, 2024
An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n).
XSS
MediaWiki CargoXSS on Special:Drilldown before v1.35.14/1.36/1.39/1.40
CVE-2024-23173
6.1 - Medium
- January 12, 2024
An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php.
XSS
MediaWiki CheckUser XSS before 1.39.6 via Message Definitions
CVE-2024-23172
5.4 - Medium
- January 12, 2024
An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog.
XSS
MediaWiki PageTriage XSS via rev-deleted-user before 1.35.14
CVE-2024-23174
5.4 - Medium
- January 12, 2024
An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message.
XSS
MediaWiki XSS in RightsLogFormatter before 1.40.2
CVE-2023-51704
- December 22, 2023
An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights.
An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1
CVE-2023-45362
- November 03, 2023
An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the same user not shown") ignores username suppression. This is an information leak.
An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1
CVE-2023-45360
5.4 - Medium
- November 03, 2023
An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers.
XSS
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12
CVE-2023-45372
5.3 - Medium
- October 09, 2023
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. During item merging, ItemMergeInteractor does not have an edit filter running (e.g., AbuseFilter).
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12
CVE-2023-45370
5.3 - Medium
- October 09, 2023
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo do not check for the sportsteamsmanager user right, and thus an attacker may be able to affect pages that are concerned with sports teams.
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12
CVE-2023-45371
7.5 - High
- October 09, 2023
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is no rate limit for merging items.
Allocation of Resources Without Limits or Throttling
An issue was discovered in the ProofreadPage extension for MediaWiki before 1.35.12
CVE-2023-45373
6.1 - Medium
- October 09, 2023
An issue was discovered in the ProofreadPage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. XSS can occur via formatNumNoSeparators.
XSS
