| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2025-32699 | Potential javascript injection attack enabled by Unicode normalization in Action API | Wikimedia Foundation | MediaWiki | - | - | 2025-04-10 18:30:24 | Deep Dive |
| CVE-2025-32698 | LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions | Wikimedia Foundation | MediaWiki | - | - | 2025-04-10 18:29:52 | Deep Dive |
| CVE-2025-32697 | Cascading protection is not preventing file reversions | Wikimedia Foundation | MediaWiki | - | - | 2025-04-10 18:29:17 | Deep Dive |
| CVE-2025-32696 | "reupload-own" restriction can be bypassed by reverting file | Wikimedia Foundation | MediaWiki | - | - | 2025-04-10 18:28:48 | Deep Dive |
| CVE-2025-3469 | i18n XSS vulnerability in HTMLMultiSelectField when sections are used | Wikimedia Foundation | MediaWiki | - | - | 2025-04-10 18:28:13 | Deep Dive |
| CVE-2025-25287 | Lakeus vulnerable to stored XSS via system messages | lakejason0 | mediawiki-skins-Lakeus | Medium | 4.7 | 2025-02-13 15:28:40 | Deep Dive |
| CVE-2025-23074 | Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed) | Wikimedia Foundation | Mediawiki - SocialProfile Extension | 低危 | - | 2025-01-14 18:58:20 | Deep Dive |
| CVE-2025-23073 | API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameter | Wikimedia Foundation | Mediawiki - GlobalBlocking Extension | 中危 | - | 2025-01-14 18:45:32 | Deep Dive |
| CVE-2025-23072 | XSS in Special:RefreshSpecial | Wikimedia Foundation | Mediawiki - RefreshSpecial Extension | 中危 | - | 2025-01-14 18:29:21 | Deep Dive |
| CVE-2025-23081 | Various security vulnerabilities in Extension:DataTransfer | Wikimedia Foundation | Mediawiki - DataTransfer Extension | 中危 | - | 2025-01-14 16:56:42 | Deep Dive |
| CVE-2025-23080 | XSSes in Special:BadgeView | Wikimedia Foundation | Mediawiki - OpenBadges Extension | 中危 | - | 2025-01-14 16:40:42 | Deep Dive |
| CVE-2025-23079 | XSSes in Extension:ArticleFeedbackv5 | Wikimedia Foundation | Mediawiki - ArticleFeedbackv5 extension | 中危 | - | 2025-01-10 19:03:15 | Deep Dive |
| CVE-2025-23078 | XSS in BreadCrumbs2 | Wikimedia Foundation | Mediawiki - Breadcrumbs2 extension | 中危 | - | 2025-01-10 17:57:21 | Deep Dive |
| CVE-2025-21612 | Cross-site Scripting in TabberTransclude in Extension:TabberNeue | StarCitizenTools | mediawiki-extensions-TabberNeue | High | 8.6 | 2025-01-06 15:47:27 | Deep Dive |
| CVE-2024-47841 | Path traversal when loading stylesheets | The Wikimedia Foundation | Mediawiki - CSS Extension | 中危 | - | 2024-10-05 01:02:32 | Deep Dive |
| CVE-2024-47840 | Stored XSS through sidebar in Apex skin | The Wikimedia Foundation | Mediawiki - Apex skin | 中危 | - | 2024-10-05 00:53:39 | Deep Dive |
| CVE-2024-47847 | Various XSSes found in Cargo | The Wikimedia Foundation | Mediawiki - Cargo | 中危 | - | 2024-10-05 00:47:24 | Deep Dive |
| CVE-2024-47846 | Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection | The Wikimedia Foundation | Mediawiki - Cargo | 中危 | - | 2024-10-05 00:39:58 | Deep Dive |
| CVE-2024-47849 | Backticks can allow the usage of not-allowed SQL functions | The Wikimedia Foundation | Mediawiki - Cargo | 中危 | - | 2024-10-05 00:29:44 | Deep Dive |
| CVE-2024-47845 | CSS sanitizer used incorrectly, and is easily bypassed | The Wikimedia Foundation | Mediawiki - CSS Extension | 中危 | - | 2024-10-05 00:09:09 | Deep Dive |