Wikimedia Foundation — Vulnerabilities & Security Advisories 118

Browse all 118 CVE security advisories affecting Wikimedia Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Wikimedia Foundation operates the world’s largest collaborative encyclopedia platform, hosting Wikipedia and related projects that serve billions of monthly visitors. Its infrastructure relies on complex software stacks, including MediaWiki, which has historically been susceptible to various vulnerability classes. Common issues include cross-site scripting (XSS), SQL injection, and remote code execution (RCE) stemming from legacy code paths or misconfigurations. While the organization maintains a robust security posture with regular audits and bug bounty programs, the sheer scale of its codebase and the open nature of its editing model present unique challenges. Recent years have seen efforts to mitigate privilege escalation risks and improve input validation. Despite these ongoing technical hurdles, the Foundation remains a critical public resource, balancing transparency with the need to protect user data and system integrity against sophisticated cyber threats targeting its extensive digital footprint.

CVEs 118

CVE ID	Title	CVSS	Severity	Published
CVE-2026-5266	Wikimedia Echo 信息泄露漏洞 — EchoCWE-200	-	-	2026-05-11
CVE-2026-34095	action=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript request — MediaWiki	-	-	2026-05-11
CVE-2026-34094	Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix — MediaWiki	-	-	2026-05-11
CVE-2026-34093	Special:UserRights allows viewing user rights from private wiki — MediaWikiCWE-200	-	-	2026-05-11
CVE-2026-34092	Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP — MediaWikiCWE-200	-	-	2026-05-11
CVE-2026-34091	User localization leaked by AbuseFilter + EventStream — MediaWikiCWE-200	-	-	2026-05-11
CVE-2026-34090	Suggested investigations: Handle suppressed usernames — CheckUserCWE-200	-	-	2026-05-11
CVE-2026-34089	Memory leak in Scribunto causes runJobs.php to run out of memory — Scribunto	-	-	2026-05-11
CVE-2026-34088	RecentChanges entries expose suppressed content via generated log page html — MediaWikiCWE-200	-	-	2026-05-11
CVE-2026-34087	Users API leaks whether privileged users have their user groups disabled for lack of 2FA — OATHAuthCWE-200	-	-	2026-05-11
CVE-2026-34086	AbuseFilter misuses ::userCanBitfield, exposing access-controlled information — AbuseFilter	-	-	2026-05-11
CVE-2026-39837	Stored XSS through the dynamic table format in Cargo — Mediawiki - Cargo ExtensionCWE-80	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39841	Stored XSS through list fields on Cargo's page values and Special:CargoTables — Mediawiki - Cargo ExtensionCWE-80	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39840	CSS injection in multiple Cargo display formats — Mediawiki - Cargo ExtensionCWE-79	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39839	Stored XSS through URLs in Cargo's map format — Mediawiki - Cargo ExtensionCWE-80	6.1^AI	Medium^AI	2026-04-07
CVE-2026-39838	ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS — MediaWiki - ProofreadPage ExtensionCWE-79	6.1^AI	Medium^AI	2026-04-07
CVE-2026-5762	ReportIncident DiscussionTools integration causes slow requests — MediaWiki - ReportIncident ExtensionCWE-770	7.5^AI	High^AI	2026-04-07
CVE-2025-67481	mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67482	Lua segfault in unpack() — Scribunto	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67483	Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67484	Action API xslt option allows JavaScript execution by administrators who are not interface administrators — MediaWiki	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67480	list=allrevisions can be used to bypass Extension:Lockdown — MediaWiki	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67475	Stored XSS through edit summaries in MW Core — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67476	Importing leaks IP address of importer via EventStreams — MediaWiki	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67477	Stored XSS through a system message in Special:ApiSandbox — MediaWikiCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-67478	Wrong E-Mail address composition for usernames with a comma and Umlauts in it like "Döe, Jähn" — CheckUser	9.8^AI	Critical^AI	2026-02-03
CVE-2025-67479	Magic word replacement in legacy parser allows using reserved data attributes through wikitext — MediaWiki	9.1^AI	Critical^AI	2026-02-03
CVE-2025-61654	UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks — Thanks	4.3^AI	Medium^AI	2026-02-03
CVE-2025-61655	Stored XSS through system messages in VisualEditor — VisualEditorCWE-79	6.1^AI	Medium^AI	2026-02-03
CVE-2025-61656	XSS when pasting into VE — VisualEditorCWE-79	6.1^AI	Medium^AI	2026-02-03

This page lists every published CVE security advisory associated with Wikimedia Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Wikimedia Foundation — Vulnerabilities & Security Advisories 118