Wikimedia Wikimedia

  1. Vendors
  2. Wikimedia

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Wikimedia product.

RSS Feeds for Wikimedia security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Wikimedia products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Wikimedia Sorted by Most Security Vulnerabilities since 2018

Wikimedia Mediawiki23 vulnerabilities

Wikimedia Wikidata Query Gui3 vulnerabilities

Wikimedia Extensions Css2 vulnerabilities

Wikimedia Analytics Quarry Web1 vulnerability

Wikimedia Apex1 vulnerability

Wikimedia Mediawiki Extensions I18ntags1 vulnerability

Wikimedia Parsoid1 vulnerability

Wikimedia Wikipedia Preview1 vulnerability

By the Year

In 2025 there have been 23 vulnerabilities in Wikimedia with an average score of 6.3 out of ten. Last year, in 2024 Wikimedia had 5 security vulnerabilities published. That is, 18 more vulnerabilities have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 0.38




Year Vulnerabilities Average Score
2025 23 6.27
2024 5 6.65
2023 2 6.10
2022 0 0.00
2021 2 6.10
2020 0 0.00
2019 3 6.10

It may take a day or so for new Wikimedia vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Wikimedia Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-62659 Oct 22, 2025
MediaWiki CookieConsent Extension <= v2.0.0 XSS via Improper Input Neutralization Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki CookieConsent extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki CookieConsent extension: from v0.1.0 before v2.0.0.
Mediawiki
CVE-2025-52738 Oct 22, 2025
Missing Auth in Wikipedia Preview <=1.15.0 (CVE-2025-52738) Missing Authorization vulnerability in Wikimedia Foundation Wikipedia Preview wikipedia-preview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wikipedia Preview: from n/a through <= 1.15.0.
Wikipedia Preview
CVE-2025-62697 Oct 20, 2025
MediaWiki LanguageSelector Extension <=1.38 Code Injection via Improper Escaping Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in The Wikimedia Foundation Mediawiki - LanguageSelector Extension allows Code Injection.This issue affects Mediawiki - LanguageSelector Extension: from master before 1.39.
Mediawiki
CVE-2025-62700 Oct 20, 2025
MediaWiki MultiBoilerplate Ext Stored XSS Pre1.39 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - MultiBoilerplate Extensionmaste allows Stored XSS.This issue affects Mediawiki - MultiBoilerplate Extensionmaste: from master before 1.39.
Mediawiki
CVE-2025-11937 Oct 18, 2025
MediaWiki SecurePoll Ext XSS Stored Vulnerability (CVE-2025-11937) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - SecurePoll Extension allows Stored XSS.This issue affects Mediawiki - SecurePoll Extension: master.
Mediawiki
CVE-2025-62666 Oct 18, 2025
MediaWiki CirrusSearch DoS: no throttling pre-1.43 Allocation of Resources Without Limits or Throttling vulnerability in The Wikimedia Foundation Mediawiki - CirrusSearch Extension allows HTTP DoS.This issue affects Mediawiki - CirrusSearch Extension: from master before 1.43.
Mediawiki
CVE-2025-62667 Oct 18, 2025
MediaWiki GrowthExperiments Ext <=1.38 XSS Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Stored XSS.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.
Mediawiki
CVE-2025-62668 Oct 18, 2025
Incorrect Default Permissions in MediaWiki GrowthExperiments Ext (pre-1.39) Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.
Mediawiki
CVE-2025-62669 Oct 18, 2025
MediaWiki CentralAuth Extension v<1.39 Sensitive Info Disclosure Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects Mediawiki - CentralAuth Extension: from master before 1.39.
Mediawiki
CVE-2025-62670 Oct 18, 2025
MediaWiki FlexDiagrams Extension Stored XSS via Improper Input Neutralization Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - FlexDiagrams Extension allows Stored XSS.This issue affects Mediawiki - FlexDiagrams Extension: master.
Mediawiki
CVE-2025-62663 Oct 18, 2025
Stored XSS Mediawiki UploadWizard Extension <1.39 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - UploadWizard Extension allows Stored XSS.This issue affects Mediawiki - UploadWizard Extension: from master before 1.39.
Mediawiki
CVE-2025-62664 Oct 18, 2025
MediaWiki ImageRating Ext (1.39) - Stored XSS CVE-2025-62664 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ImageRating Extension allows Stored XSS.This issue affects Mediawiki - ImageRating Extension: from master before 1.39.
Mediawiki
CVE-2025-62665 Oct 18, 2025
MediaWiki Skin:BlueSky Stored XSS before v1.39 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Skin:BlueSky allows Stored XSS.This issue affects Mediawiki - Skin:BlueSky: from master before 1.39.
CVE-2025-62654 Oct 17, 2025
MediaWiki QuizGame 1.39-1.44 Improper Input Neutralization (XSS) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki QuizGame extension allows Stored XSS.This issue affects MediaWiki QuizGame extension: 1.39, 1.43, 1.44.
Mediawiki
CVE-2025-62653 Oct 17, 2025
MediaWiki PollNY Extension <=1.44: Stored XSS (CVE-2025-62653) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki PollNY extension allows Stored XSS.This issue affects MediaWiki PollNY extension: 1.39, 1.43, 1.44.
Mediawiki
CVE-2025-62652 Oct 17, 2025
MediaWiki WebAuthn XSS (Stored) Versions 1.39, 1.431.44 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki WebAuthn extension allows Stored XSS.This issue affects MediaWiki WebAuthn extension: 1.39, 1.43, 1.44.
Mediawiki
CVE-2025-6926 Jul 03, 2025
CVE-2025-6926 Improper Auth in MediaWiki CentralAuth <=1.39.13/1.42.7/1.43.2 Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Mediawiki
CVE-2025-32072 Apr 11, 2025
MediaWiki Feed Utils XSS via WebView Injection (1.39-1.43) Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.This issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43.
Mediawiki
CVE-2025-32696 Apr 10, 2025
MediaWiki <1.39.12 Improper Permission Preservation in RevAct & ApiFileRev Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
Mediawiki
CVE-2025-32698 Apr 10, 2025
MediaWiki<=1.39.12/1.42.6/1.43.1 LogPager.php Sensitive Info Leak Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
Mediawiki
CVE-2025-32699 Apr 10, 2025
MediaWiki<1.39.12 & Parsoid<0.16.5 Vulnerable to CVE-2025-32699 Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.
Mediawiki
CVE-2025-3469 Apr 10, 2025
MediaWiki XSS via HTMLMultiSelectField in <1.39.12, 1.42.6, 1.43.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
Mediawiki
CVE-2025-23073 Jan 14, 2025
MediaWiki GlobalBlocking Ext: Sensitive Info Leak to Unauthorized Actor Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. This issue briefly impacted the master branch of MediaWikis GlobalBlocking Extension.
CVE-2024-47841 Oct 05, 2024
MediaWiki CSS Ext Path Traversal (1.42.2,1.41.3,1.39.9) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Path Traversal.This issue affects Mediawiki - CSS Extension: from 1.42.X before 1.42.2, from 1.41.X before 1.41.3, from 1.39.X before 1.39.9.
Wikimedia Extensions Css
CVE-2024-47845 Oct 05, 2024
Mediawiki CSS Ext Encoding Flaw -> Code Injection (1.42.x < 1.42.2) Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
Wikimedia Extensions Css
CVE-2024-47840 Oct 05, 2024
MediaWiki Apex Skin Stored XSS before 1.42.2 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Apex skin allows Stored XSS.This issue affects Mediawiki - Apex skin: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
Apex
CVE-2023-29134 Mar 27, 2024
MediaWiki Cargo Extension <=1.39.3 Backtick SmartSplit Bypass An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. There is mishandling of backticks to smartSplit.
Mediawiki
CVE-2024-23173 Jan 12, 2024
MediaWiki CargoXSS on Special:Drilldown before v1.35.14/1.36/1.39/1.40 An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php.
Mediawiki
CVE-2023-37302 Jun 30, 2023
MediaWiki Wikibase XSS in SiteLinksView.php (<=1.39.3) An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute).
Mediawiki
CVE-2018-25065 Jan 05, 2023
A vulnerability was found in Wikimedia mediawiki-extensions-I18nTags and classified as problematic A vulnerability was found in Wikimedia mediawiki-extensions-I18nTags and classified as problematic. This issue affects some unknown processing of the file I18nTags_body.php of the component Unlike Parser. The manipulation leads to cross site scripting. The attack may be initiated remotely. The identifier of the patch is b4bc3cbbb099eab50cf2b544cf577116f1867b94. It is recommended to apply a patch to fix this issue. The identifier VDB-217445 was assigned to this vulnerability.
Mediawiki Extensions I18ntags
CVE-2020-36324 Apr 21, 2021
Wikimedia Quarry analytics-quarry-web before 2020-12-15 Wikimedia Quarry analytics-quarry-web before 2020-12-15 allows Reflected XSS because app.py does not explicitly set the application/json content type.
Analytics Quarry Web
CVE-2021-30458 Apr 09, 2021
An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2 An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing sanitization steps, and potentially allowing for XSS.
Parsoid
CVE-2019-19329 Nov 27, 2019
In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07, when mathematical expressions in results are displayed directly, arbitrary JavaScript execution In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07, when mathematical expressions in results are displayed directly, arbitrary JavaScript execution can occur, aka XSS. This was addressed by introducing MathJax as a new mathematics rendering engine. NOTE: this GUI code is no longer bundled with the Wikibase Wikidata Query Service snapshots, such as 0.3.6-SNAPSHOT.
Wikidata Query Gui
CVE-2019-19328 Nov 27, 2019
ui/editor/tooltip/Rdf.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 ui/editor/tooltip/Rdf.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 allows HTML injection in tooltips for entities. NOTE: this GUI code is no longer bundled with the Wikibase Wikidata Query Service snapshots, such as 0.3.6-SNAPSHOT.
Wikidata Query Gui
CVE-2019-19327 Nov 27, 2019
ui/ResultView.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 ui/ResultView.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 allows HTML injection when reporting the number of results and number of milliseconds. NOTE: this GUI code is no longer bundled with the Wikibase Wikidata Query Service snapshots, such as 0.3.6-SNAPSHOT.
Wikidata Query Gui
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.