CVE Tools

dokuwiki

Web & CMS Pluginsoss-project

18

Cumulative CVEs

10

Monthly snapshots

#30

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting dokuwiki.

CVE-2026-26477An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file4.3Apr 3, 2026
CVE-2019-25338Dokuwiki 2018-04-22b - Username Enumeration5.3Feb 12, 2026
CVE-2023-34408DokuWiki before 2023-04-04a allows XSS via RSS titles.5.4Jun 5, 2023
CVE-2022-3123Cross-site Scripting (XSS) - Reflected in splitbrain/dokuwiki6.1Sep 5, 2022
CVE-2022-28919HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename.6.1May 12, 2022
CVE-2018-15474CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to ...9.6Sep 7, 2018
CVE-2017-18123The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to r...8.6Feb 3, 2018
CVE-2017-12980DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-...6.1Aug 21, 2017
CVE-2017-12979DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger ...6.1Aug 21, 2017
CVE-2017-12583DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.6.1Aug 6, 2017
CVE-2016-7965DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can c...6.5Oct 31, 2016
CVE-2016-7964The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. Thi...8.6Oct 31, 2016
CVE-2015-2172DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules vi...6.5Mar 30, 2015
CVE-2014-9253The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an S...4.3Dec 17, 2014
CVE-2014-8764DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) charac...5.0Oct 22, 2014