Wikimedia Wikimedia

  1. Vendors
  2. Wikimedia

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Wikimedia product.

RSS Feeds for Wikimedia security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Wikimedia products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Wikimedia Sorted by Most Security Vulnerabilities since 2018

Wikimedia Mediawiki68 vulnerabilities

Wikimedia Wikidata Query Gui3 vulnerabilities

Wikimedia Extensions Css2 vulnerabilities

Wikimedia Analytics Quarry Web1 vulnerability

Wikimedia Apex1 vulnerability

Wikimedia Mediawiki Extensions I18ntags1 vulnerability

Wikimedia Parsoid1 vulnerability

Wikimedia Wikipedia Preview1 vulnerability

By the Year

In 2026 there have been 57 vulnerabilities in Wikimedia with an average score of 5.7 out of ten. Last year, in 2025 Wikimedia had 23 security vulnerabilities published. That is, 34 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.60




Year Vulnerabilities Average Score
2026 57 5.67
2025 23 6.27
2024 5 6.65
2023 3 5.83
2022 3 4.83
2021 2 6.10
2020 2 0.00
2019 4 0.00

It may take a day or so for new Wikimedia vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Wikimedia Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-67481 Feb 03, 2026
MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.
Mediawiki
CVE-2025-67482 Feb 03, 2026
Wikimedia Scribunto <1.39.16: Lua sandbox RCE Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a.
CVE-2025-67483 Feb 03, 2026
XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1.
Mediawiki
CVE-2025-67484 Feb 03, 2026
MediaWiki XML API Exec in Pre-1.39.16, 1.43.6, 1.44.3 & 1.45.1 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.
Mediawiki
CVE-2025-67480 Feb 03, 2026
MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.
Mediawiki
CVE-2025-67475 Feb 03, 2026
MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.
Mediawiki
CVE-2025-67476 Feb 03, 2026
MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.
Mediawiki
CVE-2025-67477 Feb 03, 2026
MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.
Mediawiki
CVE-2025-67478 Feb 03, 2026
CheckUser 1.44.1: UserMailer.Php RCE Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1.
CVE-2025-67479 Feb 03, 2026
MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-61654 Feb 03, 2026
Thanks PHP ThanksQueryHelper Vulnerability, pre-1.43.4 & 1.44.1 Vulnerability in Wikimedia Foundation Thanks. This vulnerability is associated with program files includes/ThanksQueryHelper.Php. This issue affects Thanks: from * before 1.43.4, 1.44.1.
CVE-2025-61655 Feb 03, 2026
XSS in Wikimedia VisualEditor 1.39.14 / 1.43.4 / 1.44.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1.
CVE-2025-61656 Feb 03, 2026
Wikimedia VisualEditor XSS in ClipboardHandler Js (1.39.14, 1.43.4, 1.44.1) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1.
CVE-2025-61657 Feb 03, 2026
XSS in Wikimedia Vector before 1.44.1 via stickyHeader.js Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js. This issue affects Vector: from * before 1.43.4, 1.44.1.
CVE-2025-61658 Feb 03, 2026
CheckUser GlobalContributionsPager PHP flaw before v1.43.4/1.44.1 Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php. This issue affects CheckUser: from * before 1.43.4, 1.44.1.
CVE-2025-61653 Feb 03, 2026
MediaWiki TextExtracts RCE via ApiQueryExtracts.PHP, fixed before v1.44.1 Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php. This issue affects TextExtracts: from * before 1.39.14, 1.43.4, 1.44.1.
CVE-2025-61652 Feb 03, 2026
Vulnerability in Wikimedia DiscussionTools pre1.43.4 & 1.44.1 Vulnerability in Wikimedia Foundation DiscussionTools.This issue affects DiscussionTools: from * before 1.43.4, 1.44.1.
CVE-2025-61651 Feb 03, 2026
Wikimedia CheckUser <=1.44.0 XSS via buildUserElement.js Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser/checkuser/checkUserHelper/buildUserElement.Js. This issue affects CheckUser: from * before 1.44.1.
CVE-2025-11173 Feb 03, 2026
OATHAuth PHP RCE in OATHManage.Php before 1.39.14/1.43.4/1.44.1 Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1.
CVE-2025-11261 Feb 03, 2026
MediaWiki XSS in mediawiki.Language.Js (before 1.39.15, 1.43.5, 1.44.2) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2.
Mediawiki
CVE-2025-61648 Feb 03, 2026
Wikimedia CheckUser XSS Vulnerability before 1.44.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/ShowIPButton.Vue, modules/ext.CheckUser.TempAccounts/SpecialBlock.Js. This issue affects CheckUser: from * before 1.44.1.
CVE-2025-61649 Feb 03, 2026
CVE-2025-61649: PHP RCE via Wikimedia CheckUser UserInfoCardService Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from 7cedd58781d261f110651b6af4f41d2d11ae7309.
CVE-2025-61650 Feb 03, 2026
Wikimedia CheckUser XSS via CheckUserUserInfoCardService (CVE-2025-61650) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from * before 795bf333272206a0189050d975e94b70eb7dc507.
CVE-2025-61645 Feb 03, 2026
MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1.
Mediawiki
CVE-2025-61646 Feb 03, 2026
MediaWiki EnhancedChangesList.PHP RCE before 1.44.1 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-61647 Feb 03, 2026
CVE-2025-61647: PHP RCE in Wikimedia CheckUser Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php. This issue affects CheckUser: from a3dc1bbcc33acbcca6831d6afaccbb1054c93a57, 0584eb2ad564648aa3ce9c555dd044dda02b55f4.
CVE-2025-61644 Feb 02, 2026
MediaWiki XSS via WatchlistTopSectionWidget.js Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca.
Mediawiki
CVE-2025-61637 Feb 02, 2026
MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-61638 Feb 02, 2026
MediaWiki/Parsoid XSS Sanitizer.Php (1.39.14,1.43.4,1.44.1; 0.16.6,0.20.4,0.21.1) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1.
Mediawiki
CVE-2025-61639 Feb 02, 2026
MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-61640 Feb 02, 2026
MediaWiki XSS in Rcfilters RclToOrFromWidget.Js (pre1.39.14/1.43.4/1.44.1) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-61641 Feb 02, 2026
MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal) Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-61642 Feb 02, 2026
MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-61643 Feb 02, 2026
MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-61634 Feb 02, 2026
MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-61635 Feb 02, 2026
ConfirmEdit FancyCaptcha Reload PHP RCE Vulnerability Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit: *.
CVE-2025-61636 Feb 02, 2026
XSS in MediaWiki <1.39.14, 1.43.4, 1.44.1 via HTMLButtonField.php Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Mediawiki
CVE-2025-6589 Feb 02, 2026
MediaWiki 1.42+ BlockListPager.Php Vulnerability Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php. This issue affects MediaWiki: >= 1.42.0.
Mediawiki
CVE-2025-6590 Feb 02, 2026
MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0.
Mediawiki
CVE-2025-6591 Feb 02, 2026
MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.
Mediawiki
CVE-2025-6592 Feb 02, 2026
AbuseFilter AuthManager PHP flaw before v1.43.2/1.44.0 Vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects AbuseFilter: from fe0b1cb9e9691faf4d8d9bd80646589f6ec37615 before 1.43.2, 1.44.0.
CVE-2025-6593 Feb 02, 2026
MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.
Mediawiki
CVE-2025-6594 Feb 02, 2026
MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.
Mediawiki
CVE-2025-6595 Feb 02, 2026
Wikimedia MultimediaViewer XSS before 1.44.0 (CVE-2025-6595) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer.This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.
CVE-2025-6596 Feb 02, 2026
XSS in Wikimedia Vector 1.40.01.42.6, 1.43.2, 1.44.0 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js. This issue affects Vector: from >= 1.40.0 before 1.42.7, 1.43.2, 1.44.0.
CVE-2025-6597 Feb 02, 2026
MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.
Mediawiki
CVE-2025-6927 Feb 02, 2026
MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php. This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.
Mediawiki
CVE-2025-11175 Jan 30, 2026
Mediawiki DiscussionTools 1.43/1.44: EL Injection & Regex DoS Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.
Mediawiki
CVE-2026-0817 Jan 09, 2026
Missing Auth in MediaWiki CampaignEvents Ext 1.45-1.39 Priv Abuse Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39.
Mediawiki
CVE-2026-22712 Jan 09, 2026
MediaWiki ApprovedRevs 1.45-1.39 - XSS via magic word escape Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.
Mediawiki
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.