Wikimedia Mediawiki

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Wikimedia Mediawiki.

EOL Dates

Ensure that you are using a supported version of Wikimedia Mediawiki. Here are some end of life, and end of support dates for Wikimedia Mediawiki.

Release	EOL Date	Status
1.45	December 31, 2026	EOL This Year Wikimedia Mediawiki 1.45 will become EOL this year, in December 2026.
1.44	July 31, 2026	EOL This Year Wikimedia Mediawiki 1.44 will become EOL this year, in July 2026.
1.43	December 31, 2027	Active Wikimedia Mediawiki 1.43 will become EOL next year, in December 2027.
1.42	June 30, 2025	EOL Wikimedia Mediawiki 1.42 became EOL in 2025.
1.41	December 31, 2024	EOL Wikimedia Mediawiki 1.41 became EOL in 2024.
1.40	June 28, 2024	EOL Wikimedia Mediawiki 1.40 became EOL in 2024.
1.39	December 31, 2025	EOL Wikimedia Mediawiki 1.39 became EOL in 2025.
1.38	June 30, 2023	EOL Wikimedia Mediawiki 1.38 became EOL in 2023.
1.37	November 30, 2022	EOL Wikimedia Mediawiki 1.37 became EOL in 2022.
1.36	June 3, 2022	EOL Wikimedia Mediawiki 1.36 became EOL in 2022.
1.35	December 21, 2023	EOL Wikimedia Mediawiki 1.35 became EOL in 2023.
1.34	November 30, 2020	EOL Wikimedia Mediawiki 1.34 became EOL in 2020.
1.33	June 30, 2020	EOL Wikimedia Mediawiki 1.33 became EOL in 2020.
1.32	January 24, 2020	EOL Wikimedia Mediawiki 1.32 became EOL in 2020.
1.31	September 30, 2021	EOL Wikimedia Mediawiki 1.31 became EOL in 2021.

By the Year

In 2026 there have been 50 vulnerabilities in Wikimedia Mediawiki with an average score of 5.8 out of ten. Last year, in 2025 Mediawiki had 20 security vulnerabilities published. That is, 30 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 2.97

Year	Vulnerabilities	Average Score
2026	50	5.83
2025	20	8.80
2024	2	6.10
2023	2	5.70
2022	3	4.83
2021	0	0.00
2020	2	0.00
2019	1	0.00

It may take a day or so for new Mediawiki vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Wikimedia Mediawiki Security Vulnerabilities

MediaWiki Score Extension: XSS via Improper Input Neutralization
CVE-2026-39936 - April 07, 2026

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

XSS

MediaWiki CampaignEvents XSS <=1.45.2 (Before 1.45.3)
CVE-2026-39935 - April 07, 2026

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS). This issue was remediated only on the `master` branch.

XSS

MediaWiki GrowthExperiments Ext 1.45.2/1.44.4/1.43.7 Infinite Loop via TOCTOU
CVE-2026-39934 - April 07, 2026

Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue was remediated only on the `master` branch.

Infinite Loop

XSS in MediaWiki GlobalWatchlist Ext
CVE-2026-39933 - April 07, 2026

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

XSS

MediaWiki CentralAuth SLY: Sensitive Data Leak via Improper Info Removal
CVE-2026-39937 - April 07, 2026

Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

Improper Removal of Sensitive Information Before Storage or Transfer

MediaWiki Cargo 3.8.7 Stored XSS via Script Tag
CVE-2026-39837 - April 07, 2026

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

Basic XSS

Mediawiki CargoExt <3.8.7: Stored XSS via Script-Rel HTML Tags
CVE-2026-39841 - April 07, 2026

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

Basic XSS

Mediawiki Cargo Ext XSS before 3.8.7 Target Non-Script Elements
CVE-2026-39840 - April 07, 2026

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

XSS

Mediawiki Cargo Ext Before 3.8.7: Stored XSS via Script Tags
CVE-2026-39839 - April 07, 2026

Basic XSS

MediaWiki ProofreadPage XSS via NonScript Element Injection
CVE-2026-39838 - April 07, 2026

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

XSS

DoS via unchecked resource allocation in MediaWiki ReportInc Ext 1.43.7-1.45.2
CVE-2026-5762 - April 07, 2026

Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS. This issue was remediated only on the `master` branch.

Allocation of Resources Without Limits or Throttling

MediaWiki - Wikilove Ext XSS via alt syntax 1.43.71.45.2
CVE-2026-22711 - April 07, 2026

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

Improper Neutralization of Alternate XSS Syntax

MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1
CVE-2025-67481 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

XSS

XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1)
CVE-2025-67483 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1.

XSS

MediaWiki XML API Exec in Pre-1.39.16, 1.43.6, 1.44.3 & 1.45.1
CVE-2025-67484 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Improper Input Validation

MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1
CVE-2025-67480 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Improper Input Validation

MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16)
CVE-2025-67475 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

XSS

MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE
CVE-2025-67476 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1
CVE-2025-67477 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

XSS

MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE
CVE-2025-67479 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1.

MediaWiki XSS in mediawiki.Language.Js (before 1.39.15, 1.43.5, 1.44.2)
CVE-2025-11261 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2.

XSS

MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK)
CVE-2025-61645 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1.

XSS

MediaWiki EnhancedChangesList.PHP RCE before 1.44.1
CVE-2025-61646 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Directory traversal

MediaWiki XSS via WatchlistTopSectionWidget.js
CVE-2025-61644 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca.

XSS

MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61637 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki/Parsoid XSS Sanitizer.Php (1.39.14,1.43.4,1.44.1; 0.16.6,0.20.4,0.21.1)
CVE-2025-61638 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1.

XSS

MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1
CVE-2025-61639 - February 02, 2026

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Information Disclosure

MediaWiki XSS in Rcfilters RclToOrFromWidget.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61640 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal)
CVE-2025-61641 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Directory traversal

MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1
CVE-2025-61642 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1
CVE-2025-61643 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1
CVE-2025-61634 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS in MediaWiki <1.39.14, 1.43.4, 1.44.1 via HTMLButtonField.php
CVE-2025-61636 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki 1.42+ BlockListPager.Php Vulnerability
CVE-2025-6589 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php. This issue affects MediaWiki: >= 1.42.0.

Directory traversal

MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField
CVE-2025-6590 - February 02, 2026

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0.

Information Disclosure

MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0
CVE-2025-6591 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.

XSS

MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0
CVE-2025-6593 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Information Disclosure

MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0
CVE-2025-6594 4.7 - Medium - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

XSS

MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0
CVE-2025-6597 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.

Directory traversal

MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability
CVE-2025-6927 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php. This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Directory traversal

Mediawiki DiscussionTools 1.43/1.44: EL Injection & Regex DoS
CVE-2025-11175 - January 30, 2026

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.

EL Injection

Missing Auth in MediaWiki CampaignEvents Ext 1.45-1.39 Priv Abuse
CVE-2026-0817 5.3 - Medium - January 09, 2026

Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39.

AuthZ

MediaWiki ApprovedRevs 1.45-1.39 - XSS via magic word escape
CVE-2026-22712 - January 09, 2026

Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.

Output Sanitization

MediaWiki GrowthExperiments XSS Before 1.45 Fixed
CVE-2026-22713 - January 09, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39.

XSS

Mediawiki - Monaco Skin XSS Vulnerability in v1.45,1.44,1.43,1.39
CVE-2026-22714 - January 08, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.

XSS

MediaWiki Wikibase 1.45 XSS via Improper Input Neutralization
CVE-2026-22710 - January 08, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.

XSS

MediaWiki UploadWizard XSS in v1.391.45
CVE-2026-0671 6.1 - Medium - January 08, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39.

XSS

ProofreadPage Extension 1.39-1.45 XSS Vulnerability
CVE-2026-0670 6.1 - Medium - January 07, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39.

XSS

MediaWiki CSS Ext. Path Traversal (1.44) CVE20260669
CVE-2026-0669 7.5 - High - January 07, 2026

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wikimedia Foundation MediaWiki - CSS extension allows Path Traversal.This issue affects MediaWiki - CSS extension: 1.44, 1.43, 1.39.

Directory traversal

MediaWiki VisualData Ext 1.45 ReDoS via Regex Exponential Blowup
CVE-2026-0668 5.3 - Medium - January 07, 2026

Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.

ReDoS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Wikimedia Mediawiki or by Wikimedia? Click the Watch button to subscribe.

Wikimedia
Vendor

Wikimedia Mediawiki
Product

Wikimedia Mediawiki

Don't miss out!

EOL Dates

By the Year

Recent Wikimedia Mediawiki Security Vulnerabilities

MediaWiki Score Extension: XSS via Improper Input Neutralization CVE-2026-39936 - April 07, 2026

MediaWiki CampaignEvents XSS <=1.45.2 (Before 1.45.3) CVE-2026-39935 - April 07, 2026

MediaWiki GrowthExperiments Ext 1.45.2/1.44.4/1.43.7 Infinite Loop via TOCTOU CVE-2026-39934 - April 07, 2026

XSS in MediaWiki GlobalWatchlist Ext CVE-2026-39933 - April 07, 2026

MediaWiki CentralAuth SLY: Sensitive Data Leak via Improper Info Removal CVE-2026-39937 - April 07, 2026

MediaWiki Cargo 3.8.7 Stored XSS via Script Tag CVE-2026-39837 - April 07, 2026

Mediawiki CargoExt <3.8.7: Stored XSS via Script-Rel HTML Tags CVE-2026-39841 - April 07, 2026

Mediawiki Cargo Ext XSS before 3.8.7 Target Non-Script Elements CVE-2026-39840 - April 07, 2026

Mediawiki Cargo Ext Before 3.8.7: Stored XSS via Script Tags CVE-2026-39839 - April 07, 2026

MediaWiki ProofreadPage XSS via NonScript Element Injection CVE-2026-39838 - April 07, 2026

DoS via unchecked resource allocation in MediaWiki ReportInc Ext 1.43.7-1.45.2 CVE-2026-5762 - April 07, 2026

MediaWiki - Wikilove Ext XSS via alt syntax 1.43.71.45.2 CVE-2026-22711 - April 07, 2026

MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1 CVE-2025-67481 - February 03, 2026

XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1) CVE-2025-67483 - February 03, 2026

MediaWiki XML API Exec in Pre-1.39.16, 1.43.6, 1.44.3 & 1.45.1 CVE-2025-67484 - February 03, 2026

MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1 CVE-2025-67480 - February 03, 2026

MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16) CVE-2025-67475 - February 03, 2026

MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE CVE-2025-67476 - February 03, 2026

MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1 CVE-2025-67477 - February 03, 2026

MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE CVE-2025-67479 - February 03, 2026

MediaWiki XSS in mediawiki.Language.Js (before 1.39.15, 1.43.5, 1.44.2) CVE-2025-11261 - February 03, 2026

MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK) CVE-2025-61645 - February 03, 2026

MediaWiki EnhancedChangesList.PHP RCE before 1.44.1 CVE-2025-61646 - February 03, 2026

MediaWiki XSS via WatchlistTopSectionWidget.js CVE-2025-61644 - February 02, 2026

MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1) CVE-2025-61637 - February 02, 2026

MediaWiki/Parsoid XSS Sanitizer.Php (1.39.14,1.43.4,1.44.1; 0.16.6,0.20.4,0.21.1) CVE-2025-61638 - February 02, 2026

MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1 CVE-2025-61639 - February 02, 2026

MediaWiki XSS in Rcfilters RclToOrFromWidget.Js (pre1.39.14/1.43.4/1.44.1) CVE-2025-61640 - February 02, 2026

MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal) CVE-2025-61641 - February 02, 2026

MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1 CVE-2025-61642 - February 02, 2026

MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1 CVE-2025-61643 - February 02, 2026

MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1 CVE-2025-61634 - February 02, 2026

XSS in MediaWiki <1.39.14, 1.43.4, 1.44.1 via HTMLButtonField.php CVE-2025-61636 - February 02, 2026

MediaWiki 1.42+ BlockListPager.Php Vulnerability CVE-2025-6589 - February 02, 2026

MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField CVE-2025-6590 - February 02, 2026

MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0 CVE-2025-6591 - February 02, 2026

MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0 CVE-2025-6593 - February 02, 2026

MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0 CVE-2025-6594 4.7 - Medium - February 02, 2026

MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0 CVE-2025-6597 - February 02, 2026

MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability CVE-2025-6927 - February 02, 2026

Mediawiki DiscussionTools 1.43/1.44: EL Injection & Regex DoS CVE-2025-11175 - January 30, 2026

Missing Auth in MediaWiki CampaignEvents Ext 1.45-1.39 Priv Abuse CVE-2026-0817 5.3 - Medium - January 09, 2026

MediaWiki ApprovedRevs 1.45-1.39 - XSS via magic word escape CVE-2026-22712 - January 09, 2026

MediaWiki GrowthExperiments XSS Before 1.45 Fixed CVE-2026-22713 - January 09, 2026

Mediawiki - Monaco Skin XSS Vulnerability in v1.45,1.44,1.43,1.39 CVE-2026-22714 - January 08, 2026

MediaWiki Wikibase 1.45 XSS via Improper Input Neutralization CVE-2026-22710 - January 08, 2026

MediaWiki UploadWizard XSS in v1.391.45 CVE-2026-0671 6.1 - Medium - January 08, 2026

ProofreadPage Extension 1.39-1.45 XSS Vulnerability CVE-2026-0670 6.1 - Medium - January 07, 2026

MediaWiki CSS Ext. Path Traversal (1.44) CVE20260669 CVE-2026-0669 7.5 - High - January 07, 2026

MediaWiki VisualData Ext 1.45 ReDoS via Regex Exponential Blowup CVE-2026-0668 5.3 - Medium - January 07, 2026

Stay on top of Security Vulnerabilities

Wikimedia Vendor

Wikimedia MediawikiProduct

MediaWiki Score Extension: XSS via Improper Input Neutralization
CVE-2026-39936 - April 07, 2026

MediaWiki CampaignEvents XSS <=1.45.2 (Before 1.45.3)
CVE-2026-39935 - April 07, 2026

MediaWiki GrowthExperiments Ext 1.45.2/1.44.4/1.43.7 Infinite Loop via TOCTOU
CVE-2026-39934 - April 07, 2026

XSS in MediaWiki GlobalWatchlist Ext
CVE-2026-39933 - April 07, 2026

MediaWiki CentralAuth SLY: Sensitive Data Leak via Improper Info Removal
CVE-2026-39937 - April 07, 2026

MediaWiki Cargo 3.8.7 Stored XSS via Script Tag
CVE-2026-39837 - April 07, 2026

Mediawiki CargoExt <3.8.7: Stored XSS via Script-Rel HTML Tags
CVE-2026-39841 - April 07, 2026

Mediawiki Cargo Ext XSS before 3.8.7 Target Non-Script Elements
CVE-2026-39840 - April 07, 2026

Mediawiki Cargo Ext Before 3.8.7: Stored XSS via Script Tags
CVE-2026-39839 - April 07, 2026

MediaWiki ProofreadPage XSS via NonScript Element Injection
CVE-2026-39838 - April 07, 2026

DoS via unchecked resource allocation in MediaWiki ReportInc Ext 1.43.7-1.45.2
CVE-2026-5762 - April 07, 2026

MediaWiki - Wikilove Ext XSS via alt syntax 1.43.71.45.2
CVE-2026-22711 - April 07, 2026

MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1
CVE-2025-67481 - February 03, 2026

XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1)
CVE-2025-67483 - February 03, 2026

MediaWiki XML API Exec in Pre-1.39.16, 1.43.6, 1.44.3 & 1.45.1
CVE-2025-67484 - February 03, 2026

MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1
CVE-2025-67480 - February 03, 2026

MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16)
CVE-2025-67475 - February 03, 2026

MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE
CVE-2025-67476 - February 03, 2026

MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1
CVE-2025-67477 - February 03, 2026

MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE
CVE-2025-67479 - February 03, 2026

MediaWiki XSS in mediawiki.Language.Js (before 1.39.15, 1.43.5, 1.44.2)
CVE-2025-11261 - February 03, 2026

MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK)
CVE-2025-61645 - February 03, 2026

MediaWiki EnhancedChangesList.PHP RCE before 1.44.1
CVE-2025-61646 - February 03, 2026

MediaWiki XSS via WatchlistTopSectionWidget.js
CVE-2025-61644 - February 02, 2026

MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61637 - February 02, 2026

MediaWiki/Parsoid XSS Sanitizer.Php (1.39.14,1.43.4,1.44.1; 0.16.6,0.20.4,0.21.1)
CVE-2025-61638 - February 02, 2026

MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1
CVE-2025-61639 - February 02, 2026

MediaWiki XSS in Rcfilters RclToOrFromWidget.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61640 - February 02, 2026

MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal)
CVE-2025-61641 - February 02, 2026

MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1
CVE-2025-61642 - February 02, 2026

MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1
CVE-2025-61643 - February 02, 2026

MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1
CVE-2025-61634 - February 02, 2026

XSS in MediaWiki <1.39.14, 1.43.4, 1.44.1 via HTMLButtonField.php
CVE-2025-61636 - February 02, 2026

MediaWiki 1.42+ BlockListPager.Php Vulnerability
CVE-2025-6589 - February 02, 2026

MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField
CVE-2025-6590 - February 02, 2026

MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0
CVE-2025-6591 - February 02, 2026

MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0
CVE-2025-6593 - February 02, 2026

MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0
CVE-2025-6594 4.7 - Medium - February 02, 2026

MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0
CVE-2025-6597 - February 02, 2026

MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability
CVE-2025-6927 - February 02, 2026

Mediawiki DiscussionTools 1.43/1.44: EL Injection & Regex DoS
CVE-2025-11175 - January 30, 2026

Missing Auth in MediaWiki CampaignEvents Ext 1.45-1.39 Priv Abuse
CVE-2026-0817 5.3 - Medium - January 09, 2026

MediaWiki ApprovedRevs 1.45-1.39 - XSS via magic word escape
CVE-2026-22712 - January 09, 2026

MediaWiki GrowthExperiments XSS Before 1.45 Fixed
CVE-2026-22713 - January 09, 2026

Mediawiki - Monaco Skin XSS Vulnerability in v1.45,1.44,1.43,1.39
CVE-2026-22714 - January 08, 2026

MediaWiki Wikibase 1.45 XSS via Improper Input Neutralization
CVE-2026-22710 - January 08, 2026

MediaWiki UploadWizard XSS in v1.391.45
CVE-2026-0671 6.1 - Medium - January 08, 2026

ProofreadPage Extension 1.39-1.45 XSS Vulnerability
CVE-2026-0670 6.1 - Medium - January 07, 2026

MediaWiki CSS Ext. Path Traversal (1.44) CVE20260669
CVE-2026-0669 7.5 - High - January 07, 2026

MediaWiki VisualData Ext 1.45 ReDoS via Regex Exponential Blowup
CVE-2026-0668 5.3 - Medium - January 07, 2026

Wikimedia
Vendor

Wikimedia Mediawiki
Product