Mediawiki
This hub aggregates every CVE we track for Mediawiki, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.
258
CVEs tracked
19
Critical
55
High
0
In CISA KEV
Severity distribution
MEDIUM177HIGH55CRITICAL19LOW7
Monthly trend
0
0
0
0
0
0
0
0
6
0
0
0
0
0
0
0
0
0
4
0
0
0
0
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Mediawiki.
- CVE-2025-61637Stored XSS through system messages in MW Core4.8
- CVE-2025-61638Sanitizer::validateAttributes data-XSS4.8
- CVE-2025-61639Suppressed blocked IP is visible in Special:BlockList, RC, and other places4.8
- CVE-2025-61640Stored XSS through system messages in Special:RecentChangesLinked (MW Core)4.8
- CVE-2025-32072HTML injection in feed output from i18n message8.3
- CVE-2025-32699Potential javascript injection attack enabled by Unicode normalization in Action API5.3
- CVE-2025-32698LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions4.3
- CVE-2025-32697Cascading protection is not preventing file reversions4.3
- CVE-2025-32696"reupload-own" restriction can be bypassed by reverting file3.5
- CVE-2025-3469i18n XSS vulnerability in HTMLMultiSelectField when sections are used5.3
- CVE-2024-34500An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in ...6.1
- CVE-2024-34506An issue was discovered in includes/specials/SpecialMovePage.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. If a user with the necessary rights to move the page ope...7.5
- CVE-2024-34507An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. XSS can occur because of mishandling of the 0x1b c...7.4
- CVE-2024-34502An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the fro...9.8
- CVE-2024-23174An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-ta...5.4
Product normalization is registry-driven with AI assist and human review. How it works