wikimedia

Top products

The 12 most recently published vulnerabilities affecting wikimedia.

• CVE-2026-0817CampaignEvents API missing authorization exposes meeting and chat URLs5.3Jan 9, 2026
• CVE-2026-22710Stored XSS through autocomment system messages in Wikibase5.4Jan 8, 2026
• CVE-2026-0671Multiple stored i18n/message-key XSSes in UploadWizard6.1Jan 8, 2026
• CVE-2024-47841Path traversal when loading stylesheets7.5Oct 5, 2024
• CVE-2024-47840Stored XSS through sidebar in Apex skin4.8Oct 5, 2024
• CVE-2024-47845CSS sanitizer used incorrectly, and is easily bypassed8.2Oct 5, 2024
• CVE-2018-25065Wikimedia mediawiki-extensions-I18nTags Unlike Parser I18nTags_body.php cross site scripting3.5Jan 5, 2023
• CVE-2020-36324Wikimedia Quarry analytics-quarry-web before 2020-12-15 allows Reflected XSS because app.py does not explicitly set the application/json content type.6.1Apr 21, 2021
• CVE-2021-30458An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing san...6.1Apr 9, 2021
• CVE-2019-19327ui/ResultView.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 allows HTML injection when reporting the number of results and number of milliseconds. NOTE: this GUI code i...6.1Nov 27, 2019
• CVE-2019-19328ui/editor/tooltip/Rdf.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 allows HTML injection in tooltips for entities. NOTE: this GUI code is no longer bundled with the Wi...6.1Nov 27, 2019
• CVE-2019-19329In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07, when mathematical expressions in results are displayed directly, arbitrary JavaScript execution can occur, aka XSS. This was...6.1Nov 27, 2019