Wikimedia
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Wikimedia product.
RSS Feeds for Wikimedia security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Wikimedia products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Wikimedia Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 69 vulnerabilities in Wikimedia with an average score of 5.7 out of ten. Last year, in 2025 Wikimedia had 23 security vulnerabilities published. That is, 46 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.60
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 69 | 5.67 |
| 2025 | 23 | 6.27 |
| 2024 | 5 | 6.65 |
| 2023 | 3 | 5.83 |
| 2022 | 3 | 4.83 |
| 2021 | 2 | 6.10 |
| 2020 | 2 | 0.00 |
| 2019 | 4 | 0.00 |
It may take a day or so for new Wikimedia vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Wikimedia Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-39936 | Apr 07, 2026 |
MediaWiki Score Extension: XSS via Improper Input NeutralizationImproper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. |
Mediawiki
|
| CVE-2026-39935 | Apr 07, 2026 |
MediaWiki CampaignEvents XSS <=1.45.2 (Before 1.45.3)Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS). This issue was remediated only on the `master` branch. |
Mediawiki
|
| CVE-2026-39934 | Apr 07, 2026 |
MediaWiki GrowthExperiments Ext 1.45.2/1.44.4/1.43.7 Infinite Loop via TOCTOULoop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue was remediated only on the `master` branch. |
Mediawiki
|
| CVE-2026-39933 | Apr 07, 2026 |
XSS in MediaWiki GlobalWatchlist ExtImproper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. |
Mediawiki
|
| CVE-2026-39937 | Apr 07, 2026 |
MediaWiki CentralAuth SLY: Sensitive Data Leak via Improper Info RemovalImproper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. |
Mediawiki
|
| CVE-2026-39837 | Apr 07, 2026 |
MediaWiki Cargo 3.8.7 Stored XSS via Script TagImproper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7. |
Mediawiki
|
| CVE-2026-39841 | Apr 07, 2026 |
Mediawiki CargoExt <3.8.7: Stored XSS via Script-Rel HTML TagsImproper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7. |
Mediawiki
|
| CVE-2026-39840 | Apr 07, 2026 |
Mediawiki Cargo Ext XSS before 3.8.7 Target Non-Script ElementsImproper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7. |
Mediawiki
|
| CVE-2026-39839 | Apr 07, 2026 |
Mediawiki Cargo Ext Before 3.8.7: Stored XSS via Script TagsImproper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7. |
Mediawiki
|
| CVE-2026-39838 | Apr 07, 2026 |
MediaWiki ProofreadPage XSS via NonScript Element InjectionImproper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. |
Mediawiki
|
| CVE-2026-5762 | Apr 07, 2026 |
DoS via unchecked resource allocation in MediaWiki ReportInc Ext 1.43.7-1.45.2Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS. This issue was remediated only on the `master` branch. |
Mediawiki
|
| CVE-2026-22711 | Apr 07, 2026 |
MediaWiki - Wikilove Ext XSS via alt syntax 1.43.71.45.2Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. |
Mediawiki
|
| CVE-2025-67481 | Feb 03, 2026 |
MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. |
Mediawiki
|
| CVE-2025-67482 | Feb 03, 2026 |
Wikimedia Scribunto <1.39.16: Lua sandbox RCEVulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a. |
|
| CVE-2025-67483 | Feb 03, 2026 |
XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1)Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1. |
Mediawiki
|
| CVE-2025-67484 | Feb 03, 2026 |
MediaWiki XML API Exec in Pre-1.39.16, 1.43.6, 1.44.3 & 1.45.1Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. |
Mediawiki
|
| CVE-2025-67480 | Feb 03, 2026 |
MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. |
Mediawiki
|
| CVE-2025-67475 | Feb 03, 2026 |
MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16)Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. |
Mediawiki
|
| CVE-2025-67476 | Feb 03, 2026 |
MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCEVulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. |
Mediawiki
|
| CVE-2025-67477 | Feb 03, 2026 |
MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. |
Mediawiki
|
| CVE-2025-67478 | Feb 03, 2026 |
CheckUser 1.44.1: UserMailer.Php RCEVulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. |
|
| CVE-2025-67479 | Feb 03, 2026 |
MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCEVulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-61654 | Feb 03, 2026 |
Thanks PHP ThanksQueryHelper Vulnerability, pre-1.43.4 & 1.44.1Vulnerability in Wikimedia Foundation Thanks. This vulnerability is associated with program files includes/ThanksQueryHelper.Php. This issue affects Thanks: from * before 1.43.4, 1.44.1. |
|
| CVE-2025-61655 | Feb 03, 2026 |
XSS in Wikimedia VisualEditor 1.39.14 / 1.43.4 / 1.44.1Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. |
|
| CVE-2025-61656 | Feb 03, 2026 |
Wikimedia VisualEditor XSS in ClipboardHandler Js (1.39.14, 1.43.4, 1.44.1)Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. |
|
| CVE-2025-61657 | Feb 03, 2026 |
XSS in Wikimedia Vector before 1.44.1 via stickyHeader.jsImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js. This issue affects Vector: from * before 1.43.4, 1.44.1. |
|
| CVE-2025-61658 | Feb 03, 2026 |
CheckUser GlobalContributionsPager PHP flaw before v1.43.4/1.44.1Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php. This issue affects CheckUser: from * before 1.43.4, 1.44.1. |
|
| CVE-2025-61653 | Feb 03, 2026 |
MediaWiki TextExtracts RCE via ApiQueryExtracts.PHP, fixed before v1.44.1Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php. This issue affects TextExtracts: from * before 1.39.14, 1.43.4, 1.44.1. |
|
| CVE-2025-61652 | Feb 03, 2026 |
Vulnerability in Wikimedia DiscussionTools pre1.43.4 & 1.44.1Vulnerability in Wikimedia Foundation DiscussionTools.This issue affects DiscussionTools: from * before 1.43.4, 1.44.1. |
|
| CVE-2025-61651 | Feb 03, 2026 |
Wikimedia CheckUser <=1.44.0 XSS via buildUserElement.jsImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser/checkuser/checkUserHelper/buildUserElement.Js. This issue affects CheckUser: from * before 1.44.1. |
|
| CVE-2025-11173 | Feb 03, 2026 |
OATHAuth PHP RCE in OATHManage.Php before 1.39.14/1.43.4/1.44.1Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1. |
|
| CVE-2025-11261 | Feb 03, 2026 |
MediaWiki XSS in mediawiki.Language.Js (before 1.39.15, 1.43.5, 1.44.2)Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2. |
Mediawiki
|
| CVE-2025-61648 | Feb 03, 2026 |
Wikimedia CheckUser XSS Vulnerability before 1.44.1Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/ShowIPButton.Vue, modules/ext.CheckUser.TempAccounts/SpecialBlock.Js. This issue affects CheckUser: from * before 1.44.1. |
|
| CVE-2025-61649 | Feb 03, 2026 |
CVE-2025-61649: PHP RCE via Wikimedia CheckUser UserInfoCardServiceVulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from 7cedd58781d261f110651b6af4f41d2d11ae7309. |
|
| CVE-2025-61650 | Feb 03, 2026 |
Wikimedia CheckUser XSS via CheckUserUserInfoCardService (CVE-2025-61650)Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from * before 795bf333272206a0189050d975e94b70eb7dc507. |
|
| CVE-2025-61645 | Feb 03, 2026 |
MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK)Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1. |
Mediawiki
|
| CVE-2025-61646 | Feb 03, 2026 |
MediaWiki EnhancedChangesList.PHP RCE before 1.44.1Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-61647 | Feb 03, 2026 |
CVE-2025-61647: PHP RCE in Wikimedia CheckUserVulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php. This issue affects CheckUser: from a3dc1bbcc33acbcca6831d6afaccbb1054c93a57, 0584eb2ad564648aa3ce9c555dd044dda02b55f4. |
|
| CVE-2025-61644 | Feb 02, 2026 |
MediaWiki XSS via WatchlistTopSectionWidget.jsImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca. |
Mediawiki
|
| CVE-2025-61637 | Feb 02, 2026 |
MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1)Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-61638 | Feb 02, 2026 |
MediaWiki/Parsoid XSS Sanitizer.Php (1.39.14,1.43.4,1.44.1; 0.16.6,0.20.4,0.21.1)Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1. |
Mediawiki
|
| CVE-2025-61639 | Feb 02, 2026 |
MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-61640 | Feb 02, 2026 |
MediaWiki XSS in Rcfilters RclToOrFromWidget.Js (pre1.39.14/1.43.4/1.44.1)Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-61641 | Feb 02, 2026 |
MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal)Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-61642 | Feb 02, 2026 |
MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-61643 | Feb 02, 2026 |
MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-61634 | Feb 02, 2026 |
MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-61635 | Feb 02, 2026 |
ConfirmEdit FancyCaptcha Reload PHP RCE VulnerabilityVulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit: *. |
|
| CVE-2025-61636 | Feb 02, 2026 |
XSS in MediaWiki <1.39.14, 1.43.4, 1.44.1 via HTMLButtonField.phpImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Mediawiki
|
| CVE-2025-6589 | Feb 02, 2026 |
MediaWiki 1.42+ BlockListPager.Php VulnerabilityVulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php. This issue affects MediaWiki: >= 1.42.0. |
Mediawiki
|