| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-39936 | Stored XSS in Score due to usage of non-reserved data attributes | The Wikimedia Foundation | Mediawiki - Score Extension | - | - | 2026-04-07 22:11:04 | Deep Dive |
| CVE-2026-39935 | XSS-via-i18n in localised wiki names | The Wikimedia Foundation | Mediawiki - CampaignEvents Extension | - | - | 2026-04-07 22:04:02 | Deep Dive |
| CVE-2026-39934 | Growth Experiments ReassignMenteesJob runs as an infinite loop | The Wikimedia Foundation | Mediawiki - GrowthExperiments Extension | - | - | 2026-04-07 22:00:46 | Deep Dive |
| CVE-2026-39933 | Multiple XSS vulnerabilities in GlobalWatchlist | The Wikimedia Foundation | Mediawiki - GlobalWatchlist Extension | - | - | 2026-04-07 21:51:55 | Deep Dive |
| CVE-2026-39937 | Global vanishing does not completely remove user email | The Wikimedia Foundation | Mediawiki - CentralAuth Extension | - | - | 2026-04-07 21:44:47 | Deep Dive |
| CVE-2026-39837 | Stored XSS through the dynamic table format in Cargo | Wikimedia Foundation | Mediawiki - Cargo Extension | - | - | 2026-04-07 19:47:18 | Deep Dive |
| CVE-2026-39841 | Stored XSS through list fields on Cargo's page values and Special:CargoTables | Wikimedia Foundation | Mediawiki - Cargo Extension | - | - | 2026-04-07 19:43:48 | Deep Dive |
| CVE-2026-39840 | CSS injection in multiple Cargo display formats | Wikimedia Foundation | Mediawiki - Cargo Extension | - | - | 2026-04-07 19:35:36 | Deep Dive |
| CVE-2026-39839 | Stored XSS through URLs in Cargo's map format | Wikimedia Foundation | Mediawiki - Cargo Extension | - | - | 2026-04-07 19:29:11 | Deep Dive |
| CVE-2026-39838 | ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS | Wikimedia Foundation | MediaWiki - ProofreadPage Extension | - | - | 2026-04-07 19:17:52 | Deep Dive |
| CVE-2026-5762 | ReportIncident DiscussionTools integration causes slow requests | Wikimedia Foundation | MediaWiki - ReportIncident Extension | - | - | 2026-04-07 18:42:35 | Deep Dive |
| CVE-2026-22711 | Stored XSS through system messages in WikiLove | The Wikimedia Foundation | Mediawiki - Wikilove Extension | - | - | 2026-04-07 18:39:37 | Deep Dive |
| CVE-2025-67481 | mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does | Wikimedia Foundation | MediaWiki | - | - | 2026-02-03 01:30:40 | Deep Dive |
| CVE-2025-67482 | Lua segfault in unpack() | Wikimedia Foundation | Scribunto | - | - | 2026-02-03 01:28:56 | Deep Dive |
| CVE-2025-67483 | Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels | Wikimedia Foundation | MediaWiki | - | - | 2026-02-03 01:26:28 | Deep Dive |
| CVE-2025-67484 | Action API xslt option allows JavaScript execution by administrators who are not interface administrators | Wikimedia Foundation | MediaWiki | - | - | 2026-02-03 01:24:56 | Deep Dive |
| CVE-2025-67480 | list=allrevisions can be used to bypass Extension:Lockdown | Wikimedia Foundation | MediaWiki | - | - | 2026-02-03 01:23:02 | Deep Dive |
| CVE-2025-67475 | Stored XSS through edit summaries in MW Core | Wikimedia Foundation | MediaWiki | - | - | 2026-02-03 01:21:09 | Deep Dive |
| CVE-2025-67476 | Importing leaks IP address of importer via EventStreams | Wikimedia Foundation | MediaWiki | - | - | 2026-02-03 01:18:55 | Deep Dive |
| CVE-2025-67477 | Stored XSS through a system message in Special:ApiSandbox | Wikimedia Foundation | MediaWiki | - | - | 2026-02-03 01:16:41 | Deep Dive |