Mediawiki

This hub aggregates every CVE we track for Mediawiki, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Mediawiki.

• CVE-2026-34095action=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript request6.1May 11, 2026
• CVE-2026-34094Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix3.8May 11, 2026
• CVE-2026-34093Special:UserRights allows viewing user rights from private wiki5.3May 11, 2026
• CVE-2026-34092Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP7.5May 11, 2026
• CVE-2026-34091User localization leaked by AbuseFilter + EventStream7.5May 11, 2026
• CVE-2026-34088RecentChanges entries expose suppressed content via generated log page html7.5May 11, 2026
• CVE-2026-34087Users API leaks whether privileged users have their user groups disabled for lack of 2FA7.5May 11, 2026
• CVE-2025-67484Action API xslt option allows JavaScript execution by administrators who are not interface administrators9.8Feb 3, 2026
• CVE-2025-67480list=allrevisions can be used to bypass Extension:Lockdown6.5Feb 3, 2026
• CVE-2025-67476Importing leaks IP address of importer via EventStreams4.3Feb 3, 2026
• CVE-2025-61637Stored XSS through system messages in MW Core4.8Feb 2, 2026
• CVE-2025-61638Sanitizer::validateAttributes data-XSS4.8Feb 2, 2026
• CVE-2025-61639Suppressed blocked IP is visible in Special:BlockList, RC, and other places4.8Feb 2, 2026
• CVE-2025-61640Stored XSS through system messages in Special:RecentChangesLinked (MW Core)4.8Feb 2, 2026
• CVE-2025-6590Complete content leak of private wikis due to PasswordReset Wikitext injection in error message5.4Feb 2, 2026