Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Wikimedia Foundation — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Wikimedia Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by Wikimedia Foundation:MediaWikiCheckUserMediawiki - Cargo ExtensionMediawiki - AbuseFilter ExtensionMediawiki - CheckUser extensionMediawiki - SecurePoll extensionVectorMediawiki - MintyDocs ExtensionMediawiki - CampaignEvents ExtensionMediaWiki - ProofreadPage ExtensionMediawiki - IPInfo ExtensionVisualEditorWikipedia PreviewMediaWiki - CSS extensionMediaWiki - VisualData ExtensionMediawiki - Skin:BlueSkyMediawiki - ApprovedRevs extensionAbuseFilterMediaWiki - UploadWizard extensionMediawiki - WikiCategoryTagCloud extensionMultimediaViewerConfirmEditOATHAuthDiscussionToolsTextExtractsThanksScribuntoMediaWiki - ReportIncident ExtensionMediawiki - FeaturedFeeds ExtensionMediawiki - SocialProfile Extension
CVE IDTitleCVSSSeverityPublished
CVE-2026-39837 Stored XSS through the dynamic table format in Cargo — Mediawiki - Cargo ExtensionCWE-80 6.1AIMediumAI2026-04-07
CVE-2026-39841 Stored XSS through list fields on Cargo's page values and Special:CargoTables — Mediawiki - Cargo ExtensionCWE-80 6.1AIMediumAI2026-04-07
CVE-2026-39840 CSS injection in multiple Cargo display formats — Mediawiki - Cargo ExtensionCWE-79 6.1AIMediumAI2026-04-07
CVE-2026-39839 Stored XSS through URLs in Cargo's map format — Mediawiki - Cargo ExtensionCWE-80 6.1AIMediumAI2026-04-07
CVE-2026-39838 ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS — MediaWiki - ProofreadPage ExtensionCWE-79 6.1AIMediumAI2026-04-07
CVE-2026-5762 ReportIncident DiscussionTools integration causes slow requests — MediaWiki - ReportIncident ExtensionCWE-770 7.5AIHighAI2026-04-07
CVE-2025-67481 mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does — MediaWikiCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-67482 Lua segfault in unpack() — Scribunto 9.8AICriticalAI2026-02-03
CVE-2025-67483 Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels — MediaWikiCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-67484 Action API xslt option allows JavaScript execution by administrators who are not interface administrators — MediaWiki 9.8AICriticalAI2026-02-03
CVE-2025-67480 list=allrevisions can be used to bypass Extension:Lockdown — MediaWiki 9.8AICriticalAI2026-02-03
CVE-2025-67475 Stored XSS through edit summaries in MW Core — MediaWikiCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-67476 Importing leaks IP address of importer via EventStreams — MediaWiki 9.8AICriticalAI2026-02-03
CVE-2025-67477 Stored XSS through a system message in Special:ApiSandbox — MediaWikiCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-67478 Wrong E-Mail address composition for usernames with a comma and Umlauts in it like "Döe, Jähn" — CheckUser 9.8AICriticalAI2026-02-03
CVE-2025-67479 Magic word replacement in legacy parser allows using reserved data attributes through wikitext — MediaWiki 9.1AICriticalAI2026-02-03
CVE-2025-61654 UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks — Thanks 4.3AIMediumAI2026-02-03
CVE-2025-61655 Stored XSS through system messages in VisualEditor — VisualEditorCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-61656 XSS when pasting into VE — VisualEditorCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-61657 Wikimedia Vector 安全漏洞 — VectorCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-61658 Special:GlobalContributions shows edits on wikis the viewer doesn't have access to — CheckUser 9.1AICriticalAI2026-02-03
CVE-2025-61653 Extension:TextExtracts does not check for authorizeRead when returning extracts — TextExtracts 8.1AIHighAI2026-02-03
CVE-2025-61652 Action API discussiontoolspageinfo does not check for authorizeRead for the page — DiscussionTools 6.5AIMediumAI2026-02-03
CVE-2025-61651 i18n XSS through Special:CheckUser CheckUser helper — CheckUserCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-11173 Reauth for enabling 2FA can be bypassed by submitting a form — OATHAuth 8.1AIHighAI2026-02-03
CVE-2025-11261 Stored i18n XSS exposed by security patch for T402077 — MediaWikiCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-61648 Stored XSS through system messages in CheckUser — CheckUserCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-61649 UserInfoCard: Check that performing user has permission to view log entries for number of past blocks — CheckUser 9.1AICriticalAI2026-02-03
CVE-2025-61650 UserInfoCard is vulnerable to message key stored XSS — CheckUserCWE-79 6.1AIMediumAI2026-02-03
CVE-2025-61645 CodexTablePager has i18n XSS — MediaWikiCWE-79 6.1AIMediumAI2026-02-03

This page lists every published CVE security advisory associated with Wikimedia Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.