Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Wikimedia Foundation — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Wikimedia Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by Wikimedia Foundation:MediaWikiCheckUserMediawiki - Cargo ExtensionMediawiki - AbuseFilter ExtensionMediawiki - CheckUser extensionMediawiki - SecurePoll extensionVectorMediawiki - MintyDocs ExtensionMediawiki - CampaignEvents ExtensionMediaWiki - ProofreadPage ExtensionMediawiki - IPInfo ExtensionVisualEditorWikipedia PreviewMediaWiki - CSS extensionMediaWiki - VisualData ExtensionMediawiki - Skin:BlueSkyMediawiki - ApprovedRevs extensionAbuseFilterMediaWiki - UploadWizard extensionMediawiki - WikiCategoryTagCloud extensionMultimediaViewerConfirmEditOATHAuthDiscussionToolsTextExtractsThanksScribuntoMediaWiki - ReportIncident ExtensionMediawiki - FeaturedFeeds ExtensionMediawiki - SocialProfile Extension
CVE IDTitleCVSSSeverityPublished
CVE-2025-61646 Watchlist group mode reveals authors of edits with hidden authorship — MediaWiki 8.2AIHighAI2026-02-03
CVE-2025-61647 UserInfoCard: Don't allow access to information about users who are suppressed if you don't have suppressor rights — CheckUser 9.8AICriticalAI2026-02-03
CVE-2025-61644 i18n XSS through Special:Watchlist — MediaWikiCWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61637 Stored XSS through system messages in MW Core — MediaWikiCWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61638 Sanitizer::validateAttributes data-XSS — MediaWikiCWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61639 Suppressed blocked IP is visible in Special:BlockList, RC, and other places — MediaWikiCWE-200 7.5AIHighAI2026-02-02
CVE-2025-61640 Stored XSS through system messages in Special:RecentChangesLinked (MW Core) — MediaWikiCWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61641 API list=allpages with maxsize is making really slow queries — MediaWiki 9.1AICriticalAI2026-02-02
CVE-2025-61642 Stored XSS through system messages provided to CodexHtmlForms — MediaWikiCWE-79 6.1AIMediumAI2026-02-02
CVE-2025-61643 EventStreams publishes suppressed recent change entries that are suppressed from their creation — MediaWiki 5.3AIMediumAI2026-02-02
CVE-2025-61634 HTML rest endpoint needs PoolCounter and proper parser cache check — MediaWiki 9.4AICriticalAI2026-02-02
CVE-2025-61635 Add rate limiting to ApiFancyCaptchaReload — ConfirmEdit 8.1AIHighAI2026-02-02
CVE-2025-61636 Codex Special:Block vulnerable to message key XSS — MediaWikiCWE-79 6.1AIMediumAI2026-02-02
CVE-2025-6589 With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockList — MediaWiki 7.5AIHighAI2026-02-02
CVE-2025-6590 Complete content leak of private wikis due to PasswordReset Wikitext injection in error message — MediaWikiCWE-200 7.5AIHighAI2026-02-02
CVE-2025-6591 HTML injection in API action=feedcontributions output from i18n message — MediaWiki 8.2AIHighAI2026-02-02
CVE-2025-6592 Creating a permanent account from a temporary account associates temp username and IP address with real username in AbuseLog — AbuseFilter 9.8AICriticalAI2026-02-02
CVE-2025-6593 "{{SITENAME}} registered email address has been changed" email sent to unverified email addresses — MediaWiki 8.1AIHighAI2026-02-02
CVE-2025-6594 XSS in Special:ApiSandbox — MediaWikiCWE-79 6.1AIMediumAI2026-02-02
CVE-2025-6595 MediaWiki 安全漏洞 — MultimediaViewerCWE-79 6.1AIMediumAI2026-02-02
CVE-2025-6596 Vector inserts portlet labels as HTML, allowing for stored XSS through system messages — VectorCWE-79 6.1AIMediumAI2026-02-02
CVE-2025-6597 MediaWiki should not consider autocreation as login for the purposes of security reauthentication — MediaWiki 9.8AICriticalAI2026-02-02
CVE-2025-6927 Autoblocks from global account suppressions are publicly visible — MediaWiki 8.2AIHighAI2026-02-02
CVE-2026-0817 CampaignEvents API missing authorization exposes meeting and chat URLs — MediaWiki - CampaignEvents extensionCWE-862 8.8 -2026-01-09
CVE-2026-0671 Multiple stored i18n/message-key XSSes in UploadWizard — MediaWiki - UploadWizard extensionCWE-79 6.1 -2026-01-08
CVE-2026-0670 Stored XSS through a system message and a user-provided parameter in ProofreadPage — MediaWiki - ProofreadPage ExtensionCWE-79 6.1 -2026-01-07
CVE-2026-0669 Path Traversal vulnerability in CSS extension on certain web servers — MediaWiki - CSS extensionCWE-22 7.5 -2026-01-07
CVE-2026-0668 VisualData extension: Regular Expression Denial of Service (ReDoS) via crafted user input — MediaWiki - VisualData ExtensionCWE-1333 7.5 -2026-01-07
CVE-2025-52738 WordPress Wikipedia Preview plugin <= 1.15.0 - Broken Access Control vulnerability — Wikipedia PreviewCWE-862 6.5 Medium2025-10-22
CVE-2025-62665 Stored XSS through system messages in Skin:BlueSky — Mediawiki - Skin:BlueSkyCWE-79 6.1AIMediumAI2025-10-18

This page lists every published CVE security advisory associated with Wikimedia Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.