Search criteria
200 vulnerabilities
CVE-2026-14363 (GCVE-0-2026-14363)
Vulnerability from cvelistv5 – Published: 2026-07-01 19:22 – Updated: 2026-07-02 13:10
VLAI?
Title
Cargo Extension: SQLi in Special:Drilldown
Summary
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.
This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.
Severity ?
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Cargo Extension |
Affected:
* , < 1.43.9,1.44.6,1.45.4
(semver)
|
Credits
GICodeWarrior
Yaron_Koren
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14363",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T13:10:13.552599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T13:10:36.142Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://phabricator.wikimedia.org/T422774"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Cargo Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.9,1.44.6,1.45.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "GICodeWarrior"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yaron_Koren"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027) vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.\u003cp\u003eThis issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.\u003c/p\u003e"
}
],
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027) vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.\n\nThis issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T19:22:33.373Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T422774"
},
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1279498"
},
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1269701"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cargo Extension: SQLi in Special:Drilldown",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-14363",
"datePublished": "2026-07-01T19:22:33.373Z",
"dateReserved": "2026-07-01T19:17:15.130Z",
"dateUpdated": "2026-07-02T13:10:36.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14358 (GCVE-0-2026-14358)
Vulnerability from cvelistv5 – Published: 2026-07-01 18:48 – Updated: 2026-07-01 19:24
VLAI?
Title
Stored XSS in Wikimedia Chart pie tooltip via Data:*.tab field title
Summary
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting (XSS).
This issue affects Mediawiki - Charts Extension: from * before 1.43.9,1.44.6,1.45.4.
Severity ?
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Charts Extension |
Affected:
* , < 1.43.9,1.44.6,1.45.4
(semver)
|
Credits
Reedy
aude
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T19:24:03.882806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T19:24:16.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Charts Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.9,1.44.6,1.45.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Reedy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "aude"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - Charts Extension: from * before 1.43.9,1.44.6,1.45.4.\u003c/p\u003e"
}
],
"value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting (XSS).\n\nThis issue affects Mediawiki - Charts Extension: from * before 1.43.9,1.44.6,1.45.4."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T18:48:55.744Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T430548"
},
{
"url": "https://gerrit.wikimedia.org/r/q/Ibdaa7c852ae83f562e84dddc9c96ad64e2152210"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Wikimedia Chart pie tooltip via Data:*.tab field title",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-14358",
"datePublished": "2026-07-01T18:48:55.744Z",
"dateReserved": "2026-07-01T18:31:17.357Z",
"dateUpdated": "2026-07-01T19:24:16.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58517 (GCVE-0-2026-58517)
Vulnerability from cvelistv5 – Published: 2026-07-01 18:23 – Updated: 2026-07-01 18:35
VLAI?
Title
Blocked users can create and edit WikiLambda objects
Summary
Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass.
This issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.
Severity ?
CWE
- CWE-288 - Authentication bypass using an alternate path or channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - WikiLambda Extension |
Affected:
* , < 1.43.9,1.44.6,1.45.4
(semver)
|
Credits
SomeRandomDeveloper
Jdforrester-WMF
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T18:34:52.042792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T18:35:06.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - WikiLambda Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.9,1.44.6,1.45.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SomeRandomDeveloper"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jdforrester-WMF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass.\u003cp\u003eThis issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.\u003c/p\u003e"
}
],
"value": "Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass.\n\nThis issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication bypass using an alternate path or channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T18:23:02.161Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T428833"
},
{
"url": "https://gerrit.wikimedia.org/r/c/1305376"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Blocked users can create and edit WikiLambda objects",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58517",
"datePublished": "2026-07-01T18:23:02.161Z",
"dateReserved": "2026-07-01T03:40:44.768Z",
"dateUpdated": "2026-07-01T18:35:06.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58521 (GCVE-0-2026-58521)
Vulnerability from cvelistv5 – Published: 2026-07-01 17:30 – Updated: 2026-07-01 17:58
VLAI?
Title
SQLi in Cargo extension via year range filter
Summary
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.
This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.
Severity ?
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Cargo Extension |
Affected:
* , < 1.43.9,1.44.6,1.45.4
(semver)
|
Credits
Andmcadams
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58521",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T17:57:51.606026Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T17:58:23.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://phabricator.wikimedia.org/T428274"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Cargo Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.9,1.44.6,1.45.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Andmcadams"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027) vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.\u003cp\u003eThis issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.\u003c/p\u003e"
}
],
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027) vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.\n\nThis issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T17:30:50.009Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T428274"
},
{
"url": "https://gerrit.wikimedia.org/r/c/1298854"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQLi in Cargo extension via year range filter",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58521",
"datePublished": "2026-07-01T17:30:50.009Z",
"dateReserved": "2026-07-01T03:40:44.769Z",
"dateUpdated": "2026-07-01T17:58:23.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58520 (GCVE-0-2026-58520)
Vulnerability from cvelistv5 – Published: 2026-07-01 17:14 – Updated: 2026-07-01 17:56
VLAI?
Title
UrlShortener defaults to ineffective validation open to third-party redirects
Summary
URL redirection to untrusted site ('open redirect') vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing.
This issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4.
Severity ?
CWE
- CWE-601 - URL redirection to untrusted site ('open redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - UrlShortener Extension |
Affected:
* , < 1.43.9, 1.44.6, 1.45.4
(semver)
|
Credits
Krinkle
DAlangi_WMF
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58520",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T17:55:53.098995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T17:56:06.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - UrlShortener Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.9, 1.44.6, 1.45.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krinkle"
},
{
"lang": "en",
"type": "finder",
"value": "DAlangi_WMF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "URL redirection to untrusted site (\u0027open redirect\u0027) vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing.\u003cp\u003eThis issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4.\u003c/p\u003e"
}
],
"value": "URL redirection to untrusted site (\u0027open redirect\u0027) vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing.\n\nThis issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4."
}
],
"impacts": [
{
"capecId": "CAPEC-178",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-178 Cross-Site Flashing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T17:14:06.292Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T418431"
},
{
"url": "https://gerrit.wikimedia.org/r/q/I7a59cc4c351b5aa47ed46f7a14a1105fd1ecc5b5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "UrlShortener defaults to ineffective validation open to third-party redirects",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58520",
"datePublished": "2026-07-01T17:14:06.292Z",
"dateReserved": "2026-07-01T03:40:44.769Z",
"dateUpdated": "2026-07-01T17:56:06.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58025 (GCVE-0-2026-58025)
Vulnerability from cvelistv5 – Published: 2026-07-01 15:23 – Updated: 2026-07-01 15:51
VLAI?
Title
Remote Code Execution via Unsafe Deserialization in LogItem Import
Summary
Deserialization of untrusted data vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Import/WikiImporter.Php, includes/Import/WikiRevision.Php, includes/Logging/LogEntryBase.Php.
This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:51:46.171460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:51:56.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Import/WikiImporter.php",
"includes/Import/WikiRevision.php",
"includes/Logging/LogEntryBase.php",
"https://phabricator.wikimedia.org/T422244"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of untrusted data vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Import/WikiImporter.Php, includes/Import/WikiRevision.Php, includes/Logging/LogEntryBase.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Deserialization of untrusted data vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Import/WikiImporter.Php, includes/Import/WikiRevision.Php, includes/Logging/LogEntryBase.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of untrusted data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:23:29.787Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T422244"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution via Unsafe Deserialization in LogItem Import",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58025",
"datePublished": "2026-07-01T15:23:29.787Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T15:51:56.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58029 (GCVE-0-2026-58029)
Vulnerability from cvelistv5 – Published: 2026-07-01 15:19 – Updated: 2026-07-01 15:51
VLAI?
Title
Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata
Summary
Vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Api/ApiChangeAuthenticationData.Php, includes/Api/ApiLinkAccount.Php, includes/Api/ApiRemoveAuthenticationData.Php, includes/Specials/SpecialLinkAccounts.Php, includes/Specials/SpecialUnlinkAccounts.Php.
This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(1.46.0, 1.45.4, 1.44.6, 1.43.9)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:51:12.379031Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:51:32.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Api/ApiChangeAuthenticationData.php",
"includes/Api/ApiLinkAccount.php",
"includes/Api/ApiRemoveAuthenticationData.php",
"includes/Specials/SpecialLinkAccounts.php",
"includes/Specials/SpecialUnlinkAccounts.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "1.46.0, 1.45.4, 1.44.6, 1.43.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Api/ApiChangeAuthenticationData.Php, includes/Api/ApiLinkAccount.Php, includes/Api/ApiRemoveAuthenticationData.Php, includes/Specials/SpecialLinkAccounts.Php, includes/Specials/SpecialUnlinkAccounts.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Api/ApiChangeAuthenticationData.Php, includes/Api/ApiLinkAccount.Php, includes/Api/ApiRemoveAuthenticationData.Php, includes/Specials/SpecialLinkAccounts.Php, includes/Specials/SpecialUnlinkAccounts.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:19:11.810Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T422676"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58029",
"datePublished": "2026-07-01T15:19:11.810Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T15:51:32.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58028 (GCVE-0-2026-58028)
Vulnerability from cvelistv5 – Published: 2026-07-01 15:15 – Updated: 2026-07-01 15:50
VLAI?
Title
Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation CentralAuth.
This vulnerability is associated with program files includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, includes/LogFormatter/PermissionChangeLogFormatter.Php.
This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9; CentralAuth: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:50:31.075019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:50:39.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Api/ApiFormatBase.php",
"includes/Api/ApiHelp.php",
"includes/ResourceLoader/Module.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CentralAuth",
"programFiles": [
"includes/Hooks/Handlers/PageDisplayHookHandler.php",
"includes/LogFormatter/PermissionChangeLogFormatter.php"
],
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation CentralAuth.\u003cp\u003e This vulnerability is associated with program files includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, includes/LogFormatter/PermissionChangeLogFormatter.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9; CentralAuth: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation CentralAuth.\n\n This vulnerability is associated with program files includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, includes/LogFormatter/PermissionChangeLogFormatter.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9; CentralAuth: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:15:17.250Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T422306"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58028",
"datePublished": "2026-07-01T15:15:17.250Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T15:50:39.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58026 (GCVE-0-2026-58026)
Vulnerability from cvelistv5 – Published: 2026-07-01 15:10 – Updated: 2026-07-01 15:50
VLAI?
Title
$wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Parser/Parser.Php.
This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:50:06.590439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:50:17.256Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Parser/Parser.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Parser/Parser.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Parser/Parser.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:10:34.559Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T299359"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "$wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58026",
"datePublished": "2026-07-01T15:10:34.559Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T15:50:17.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8857 (GCVE-0-2026-8857)
Vulnerability from cvelistv5 – Published: 2026-07-01 15:08 – Updated: 2026-07-01 15:49
VLAI?
Title
Full RCE using EasyTimeline Extension
Summary
A vulnerability in Wikimedia Foundation timeline.
This vulnerability is associated with program files scripts/EasyTimeline.Pl, includes/Timeline.Php.
This issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | timeline |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8857",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:49:46.432787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:49:55.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "timeline",
"programFiles": [
"scripts/EasyTimeline.pl",
"includes/Timeline.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/timeline/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Wikimedia Foundation timeline.\u003cp\u003e This vulnerability is associated with program files scripts/EasyTimeline.Pl, includes/Timeline.Php.\u003c/p\u003e\u003cp\u003eThis issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "A vulnerability in Wikimedia Foundation timeline.\n\n This vulnerability is associated with program files scripts/EasyTimeline.Pl, includes/Timeline.Php.\n\n\n\nThis issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:08:49.425Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T426631"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Full RCE using EasyTimeline Extension",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-8857",
"datePublished": "2026-07-01T15:08:49.425Z",
"dateReserved": "2026-05-18T16:56:22.404Z",
"dateUpdated": "2026-07-01T15:49:55.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58038 (GCVE-0-2026-58038)
Vulnerability from cvelistv5 – Published: 2026-07-01 15:04 – Updated: 2026-07-01 15:47
VLAI?
Title
Stored XSS through javascript URLs in SVGs generated by EasyTimeline
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation timeline.
This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl.
This issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | timeline |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:47:43.541553Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:47:50.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "timeline",
"programFiles": [
"includes/Timeline.php",
"scripts/EasyTimeline.pl"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/tiemline/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation timeline.\u003cp\u003e This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl.\u003c/p\u003e\u003cp\u003eThis issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation timeline.\n\n This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl.\n\n\n\nThis issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:04:01.989Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T427611"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS through javascript URLs in SVGs generated by EasyTimeline",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58038",
"datePublished": "2026-07-01T15:04:01.989Z",
"dateReserved": "2026-06-27T13:32:41.613Z",
"dateUpdated": "2026-07-01T15:47:50.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58027 (GCVE-0-2026-58027)
Vulnerability from cvelistv5 – Published: 2026-07-01 15:01 – Updated: 2026-07-01 15:49
VLAI?
Title
QueryAbuseFilter API can be used to see the hit count of private filters, which is hidden in the UI
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter.
This vulnerability is associated with program files includes/Api/QueryAbuseFilters.Php.
This issue affects AbuseFilter: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | AbuseFilter |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58027",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:49:23.869052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:49:32.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AbuseFilter",
"programFiles": [
"includes/Api/QueryAbuseFilters.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/AbuseFilter/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter.\u003cp\u003e This vulnerability is associated with program files includes/Api/QueryAbuseFilters.Php.\u003c/p\u003e\u003cp\u003eThis issue affects AbuseFilter: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter.\n\n This vulnerability is associated with program files includes/Api/QueryAbuseFilters.Php.\n\n\n\nThis issue affects AbuseFilter: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:01:00.948Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T406954"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "QueryAbuseFilter API can be used to see the hit count of private filters, which is hidden in the UI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58027",
"datePublished": "2026-07-01T15:01:00.948Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T15:49:32.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58030 (GCVE-0-2026-58030)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:58 – Updated: 2026-07-01 15:48
VLAI?
Title
SyntaxHighlight stored XSS via unsanitized 'linelinks' attribute
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation SyntaxHighlight_GeSHi.
This vulnerability is associated with program files includes/SyntaxHighlight.Php.
This issue affects SyntaxHighlight_GeSHi: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | SyntaxHighlight_GeSHi |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:48:48.602789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:48:58.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SyntaxHighlight_GeSHi",
"programFiles": [
"includes/SyntaxHighlight.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/SyntaxHighlight_GeSHi/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation SyntaxHighlight_GeSHi.\u003cp\u003e This vulnerability is associated with program files includes/SyntaxHighlight.Php.\u003c/p\u003e\u003cp\u003eThis issue affects SyntaxHighlight_GeSHi: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation SyntaxHighlight_GeSHi.\n\n This vulnerability is associated with program files includes/SyntaxHighlight.Php.\n\n\n\nThis issue affects SyntaxHighlight_GeSHi: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:58:19.707Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T427167"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SyntaxHighlight stored XSS via unsanitized \u0027linelinks\u0027 attribute",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58030",
"datePublished": "2026-07-01T14:58:19.707Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T15:48:58.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58032 (GCVE-0-2026-58032)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:56 – Updated: 2026-07-01 15:48
VLAI?
Title
mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files resources/src/mediawiki.Api/index.Js.
This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:48:28.806436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:48:38.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"resources/src/mediawiki.api/index.js"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files resources/src/mediawiki.Api/index.Js.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files resources/src/mediawiki.Api/index.Js.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:56:27.223Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T426867"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58032",
"datePublished": "2026-07-01T14:56:27.223Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T15:48:38.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58033 (GCVE-0-2026-58033)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:54 – Updated: 2026-07-01 15:48
VLAI?
Title
"Total number of distinct authors" statistic at action=info does not exclude revisions where the author name was deleted
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Actions/InfoAction.Php.
This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:48:05.703064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:48:16.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Actions/InfoAction.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Actions/InfoAction.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Actions/InfoAction.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:54:15.263Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T427235"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "\"Total number of distinct authors\" statistic at action=info does not exclude revisions where the author name was deleted",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58033",
"datePublished": "2026-07-01T14:54:15.263Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T15:48:16.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58037 (GCVE-0-2026-58037)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:51 – Updated: 2026-07-01 15:46
VLAI?
Title
Core log entries for exceptions and XSS issues in log entry formatting code that may be caused by user-controlled input
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Language/Language.Php, includes/Logging/BlockLogFormatter.Php, includes/Logging/LogFormatter.Php, includes/Logging/PatrolLogFormatter.Php, includes/Logging/RenameuserLogFormatter.Php, includes/Logging/TagLogFormatter.Php, includes/Specials/SpecialVersion.Php.
This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:46:35.403062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:46:44.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Language/Language.php",
"includes/Logging/BlockLogFormatter.php",
"includes/Logging/LogFormatter.php",
"includes/Logging/PatrolLogFormatter.php",
"includes/Logging/RenameuserLogFormatter.php",
"includes/Logging/TagLogFormatter.php",
"includes/Specials/SpecialVersion.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Language/Language.Php, includes/Logging/BlockLogFormatter.Php, includes/Logging/LogFormatter.Php, includes/Logging/PatrolLogFormatter.Php, includes/Logging/RenameuserLogFormatter.Php, includes/Logging/TagLogFormatter.Php, includes/Specials/SpecialVersion.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Language/Language.Php, includes/Logging/BlockLogFormatter.Php, includes/Logging/LogFormatter.Php, includes/Logging/PatrolLogFormatter.Php, includes/Logging/RenameuserLogFormatter.Php, includes/Logging/TagLogFormatter.Php, includes/Specials/SpecialVersion.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:51:27.027Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T422995"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Core log entries for exceptions and XSS issues in log entry formatting code that may be caused by user-controlled input",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58037",
"datePublished": "2026-07-01T14:51:27.027Z",
"dateReserved": "2026-06-27T13:32:41.613Z",
"dateUpdated": "2026-07-01T15:46:44.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58036 (GCVE-0-2026-58036)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:48 – Updated: 2026-07-01 15:47
VLAI?
Title
Users API leaks whether privileged users have their user groups disabled for lack of 2FA
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Api/ApiQueryAllUsers.Php, includes/Api/ApiQueryUsers.Php, includes/Permissions/PermissionManager.Php, includes/User/UserGroupManager.Php.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
1.46.0-rc.0 , < 1.46.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:47:22.376326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:47:29.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Api/ApiQueryAllUsers.php",
"includes/Api/ApiQueryUsers.php",
"includes/Permissions/PermissionManager.php",
"includes/User/UserGroupManager.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0",
"status": "affected",
"version": "1.46.0-rc.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Api/ApiQueryAllUsers.Php, includes/Api/ApiQueryUsers.Php, includes/Permissions/PermissionManager.Php, includes/User/UserGroupManager.Php.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Api/ApiQueryAllUsers.Php, includes/Api/ApiQueryUsers.Php, includes/Permissions/PermissionManager.Php, includes/User/UserGroupManager.Php."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:48:07.691Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T425406"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Users API leaks whether privileged users have their user groups disabled for lack of 2FA",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58036",
"datePublished": "2026-07-01T14:48:07.691Z",
"dateReserved": "2026-06-27T13:32:41.613Z",
"dateUpdated": "2026-07-01T15:47:29.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58024 (GCVE-0-2026-58024)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:34 – Updated: 2026-07-01 15:47
VLAI?
Title
API identification of users on private wikis
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Api/ApiUserrights.Php.
This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:47:00.167018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:47:10.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Api/ApiUserrights.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Api/ApiUserrights.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Api/ApiUserrights.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:34:47.214Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T422085"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "API identification of users on private wikis",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58024",
"datePublished": "2026-07-01T14:34:47.214Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T15:47:10.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13707 (GCVE-0-2026-13707)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:32 – Updated: 2026-07-01 15:46
VLAI?
Title
Session fixation attacks on improperly configured OAuth 1.0a tools
Summary
Session fixation vulnerability in Wikimedia Foundation OAuth.
This vulnerability is associated with program files src/Backend/MWOAuthServer.Php.
This issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Severity ?
CWE
- CWE-384 - Session fixation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | OAuth |
Affected:
* , ≤ 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:46:04.776893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:46:18.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OAuth",
"programFiles": [
"src/Backend/MWOAuthServer.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/OAuth/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Session fixation vulnerability in Wikimedia Foundation OAuth.\u003cp\u003e This vulnerability is associated with program files src/Backend/MWOAuthServer.Php.\u003c/p\u003e\u003cp\u003eThis issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9.\u003c/p\u003e"
}
],
"value": "Session fixation vulnerability in Wikimedia Foundation OAuth.\n\n This vulnerability is associated with program files src/Backend/MWOAuthServer.Php.\n\n\n\nThis issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:32:26.598Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T428324"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Session fixation attacks on improperly configured OAuth 1.0a tools",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-13707",
"datePublished": "2026-07-01T14:32:26.598Z",
"dateReserved": "2026-06-29T13:21:39.196Z",
"dateUpdated": "2026-07-01T15:46:18.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13706 (GCVE-0-2026-13706)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:29 – Updated: 2026-07-01 15:44
VLAI?
Title
UrlShortener extension url validation can be bypassed due to difference between php url parsing and WHATWG
Summary
Improper input validation vulnerability in Wikimedia Foundation UrlShortener.
This vulnerability is associated with program files includes/UrlShortenerUtils.Php.
Severity ?
CWE
- CWE-20 - Improper input validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | UrlShortener |
Affected:
* , ≤ 1.46.0, 1.45.4, 1.44.6, 1.43.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:44:18.842649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:44:29.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UrlShortener",
"programFiles": [
"includes/UrlShortenerUtils.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/UrlShortener/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.46.0, 1.45.4, 1.44.6, 1.43.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper input validation vulnerability in Wikimedia Foundation UrlShortener.\u003cp\u003e This vulnerability is associated with program files includes/UrlShortenerUtils.Php.\u003c/p\u003e"
}
],
"value": "Improper input validation vulnerability in Wikimedia Foundation UrlShortener.\n\n This vulnerability is associated with program files includes/UrlShortenerUtils.Php."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:29:49.167Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T418533"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "UrlShortener extension url validation can be bypassed due to difference between php url parsing and WHATWG",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-13706",
"datePublished": "2026-07-01T14:29:49.167Z",
"dateReserved": "2026-06-29T13:21:21.798Z",
"dateUpdated": "2026-07-01T15:44:29.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58031 (GCVE-0-2026-58031)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:24 – Updated: 2026-07-01 14:45
VLAI?
Title
Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.
This issue affects MediaWiki: from 1.46.0-rc.0 before 1.46.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
1.46.0-rc.0 , < 1.46.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T14:45:37.930128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:45:46.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"resources/src/mediawiki.special.apisandbox/ApiSandboxLayout.js"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0",
"status": "affected",
"version": "1.46.0-rc.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from 1.46.0-rc.0 before 1.46.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.\n\n\n\nThis issue affects MediaWiki: from 1.46.0-rc.0 before 1.46.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:24:21.084Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T426889"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58031",
"datePublished": "2026-07-01T14:24:21.084Z",
"dateReserved": "2026-06-27T13:32:37.577Z",
"dateUpdated": "2026-07-01T14:45:46.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58034 (GCVE-0-2026-58034)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:21 – Updated: 2026-07-01 14:46
VLAI?
Title
Stored XSS through a system message when blocking a temporary account that's related to other temporary accounts
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser.
This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue.
This issue affects CheckUser: from 1.46.0-rc.0 before 1.46.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | CheckUser |
Affected:
1.46.0-rc.0 , < 1.46.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58034",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T14:45:57.866755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:46:05.002Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CheckUser",
"programFiles": [
"modules/ext.checkUser.tempAccounts/components/blockConnectedTempAccountsField.vue"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/CheckUser/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0",
"status": "affected",
"version": "1.46.0-rc.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation CheckUser.\u003cp\u003e This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue.\u003c/p\u003e\u003cp\u003eThis issue affects CheckUser: from 1.46.0-rc.0 before 1.46.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation CheckUser.\n\n This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue.\n\n\n\nThis issue affects CheckUser: from 1.46.0-rc.0 before 1.46.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:21:04.398Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T428820"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS through a system message when blocking a temporary account that\u0027s related to other temporary accounts",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58034",
"datePublished": "2026-07-01T14:21:04.398Z",
"dateReserved": "2026-06-27T13:32:41.613Z",
"dateUpdated": "2026-07-01T14:46:05.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58035 (GCVE-0-2026-58035)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:17 – Updated: 2026-07-01 14:54
VLAI?
Title
Stored XSS through a system message in the codex version of Special:Block
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files resources/src/mediawiki.Special.Block/SpecialBlock.Vue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
1.46.0-rc.0 , < 1.46.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58035",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T14:54:34.232286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:54:43.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"resources/src/mediawiki.special.block/SpecialBlock.vue"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.46.0",
"status": "affected",
"version": "1.46.0-rc.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files resources/src/mediawiki.Special.Block/SpecialBlock.Vue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files resources/src/mediawiki.Special.Block/SpecialBlock.Vue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:17:41.643Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T428809"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS through a system message in the codex version of Special:Block",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58035",
"datePublished": "2026-07-01T14:17:41.643Z",
"dateReserved": "2026-06-27T13:32:41.613Z",
"dateUpdated": "2026-07-01T14:54:43.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58519 (GCVE-0-2026-58519)
Vulnerability from cvelistv5 – Published: 2026-07-01 03:59 – Updated: 2026-07-01 12:29
VLAI?
Title
Stored XSS through Cargo's map format
Summary
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.
This issue affects Mediawiki - Cargo Extension: from * before 3.9.1.
Severity ?
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Cargo Extension |
Affected:
* , < 3.9.1
(semver)
|
Credits
SomeRandomDeveloper
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58519",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T12:29:54.675114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T12:29:57.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://phabricator.wikimedia.org/T424140"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Cargo Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThan": "3.9.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SomeRandomDeveloper"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.\u003cp\u003eThis issue affects Mediawiki - Cargo Extension: from * before 3.9.1.\u003c/p\u003e"
}
],
"value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.\n\nThis issue affects Mediawiki - Cargo Extension: from * before 3.9.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "ATTACKED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:A",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T03:59:33.932Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T424140"
},
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1277612"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS through Cargo\u0027s map format",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58519",
"datePublished": "2026-07-01T03:59:33.932Z",
"dateReserved": "2026-07-01T03:40:44.769Z",
"dateUpdated": "2026-07-01T12:29:57.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58518 (GCVE-0-2026-58518)
Vulnerability from cvelistv5 – Published: 2026-07-01 03:52 – Updated: 2026-07-01 12:31
VLAI?
Summary
Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery.
This issue affects Mediawiki - RedirectManager Extension: from * before 1.3.3.
Severity ?
CWE
- CWE-352 - Cross-Site request forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - RedirectManager Extension |
Affected:
* , < 1.3.3
(semver)
|
Credits
SomeRandomDeveloper
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58518",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T12:31:19.474118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T12:31:23.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://phabricator.wikimedia.org/T423826"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - RedirectManager Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThan": "1.3.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SomeRandomDeveloper"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Mediawiki - RedirectManager Extension: from * before 1.3.3.\u003c/p\u003e"
}
],
"value": "Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery.\n\nThis issue affects Mediawiki - RedirectManager Extension: from * before 1.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site request forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T03:52:29.450Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T423826"
},
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RedirectManager/+/1275494"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-58518",
"datePublished": "2026-07-01T03:52:29.450Z",
"dateReserved": "2026-07-01T03:40:44.769Z",
"dateUpdated": "2026-07-01T12:31:23.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5266 (GCVE-0-2026-5266)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:55 – Updated: 2026-05-11 18:00
VLAI?
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Echo.
This vulnerability is associated with program files includes/Api/ApiEchoNotifications.Php.
This issue affects Echo: from * before 1.43.7, 1.44.4, 1.45.2.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | Echo |
Affected:
* , < 1.43.7, 1.44.4, 1.45.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T17:59:36.549787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:00:17.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Echo",
"programFiles": [
"includes/Api/ApiEchoNotifications.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/Echo/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.7, 1.44.4, 1.45.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Echo.\u003cp\u003e This vulnerability is associated with program files includes/Api/ApiEchoNotifications.Php.\u003c/p\u003e\u003cp\u003eThis issue affects Echo: from * before 1.43.7, 1.44.4, 1.45.2.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Echo.\n\n This vulnerability is associated with program files includes/Api/ApiEchoNotifications.Php.\n\n\n\nThis issue affects Echo: from * before 1.43.7, 1.44.4, 1.45.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:55:55.171Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T420154"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-5266",
"datePublished": "2026-05-11T16:55:55.171Z",
"dateReserved": "2026-03-31T18:45:42.439Z",
"dateUpdated": "2026-05-11T18:00:17.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34095 (GCVE-0-2026-34095)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:53 – Updated: 2026-05-11 18:04
VLAI?
Title
action=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript request
Summary
Vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.
This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity ?
CWE
- CWE-668 - Exposure of Resource to Wrong Sphere
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.43.7, 1.44.4, 1.45.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:03:59.746830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:04:03.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Actions/ActionEntryPoint.php",
"includes/Request/FauxResponse.php"
],
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.7, 1.44.4, 1.45.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.\u003c/p\u003e"
}
],
"value": "Vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:53:25.421Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T419192"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "action=raw with Special:Mypage subpage title responds with \"Content-Type: text/html\" on ctype=text/javascript request",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-34095",
"datePublished": "2026-05-11T16:53:25.421Z",
"dateReserved": "2026-03-25T17:15:46.522Z",
"dateUpdated": "2026-05-11T18:04:03.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34094 (GCVE-0-2026-34094)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:50 – Updated: 2026-05-11 18:06
VLAI?
Title
Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix
Summary
Vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Page/Article.Php.
This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity ?
CWE
- CWE-668 - Exposure of Resource to Wrong Sphere
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.43.7, 1.44.4, 1.45.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:06:55.286580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:06:58.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Page/Article.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.7, 1.44.4, 1.45.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Page/Article.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.\u003c/p\u003e"
}
],
"value": "Vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Page/Article.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:50:46.673Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T416090"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Customized help link for page protection indicator is relative to subpage name, because the link target is missing the \"/wiki/\" prefix",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-34094",
"datePublished": "2026-05-11T16:50:46.673Z",
"dateReserved": "2026-03-25T17:15:46.522Z",
"dateUpdated": "2026-05-11T18:06:58.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34093 (GCVE-0-2026-34093)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:48 – Updated: 2026-05-11 18:15
VLAI?
Title
Special:UserRights allows viewing user rights from private wiki
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php.
This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.43.7, 1.44.4, 1.45.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:14:58.642936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:15:08.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Specials/SpecialUserRights.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.7, 1.44.4, 1.45.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.1,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/R:A",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:48:19.486Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T414547"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Special:UserRights allows viewing user rights from private wiki",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-34093",
"datePublished": "2026-05-11T16:48:19.486Z",
"dateReserved": "2026-03-25T17:15:46.522Z",
"dateUpdated": "2026-05-11T18:15:08.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34092 (GCVE-0-2026-34092)
Vulnerability from cvelistv5 – Published: 2026-05-11 15:00 – Updated: 2026-05-11 15:50
VLAI?
Title
Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Skin/Skin.Php.
This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
* , < 1.43.7, 1.44.4, 1.45.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:50:50.701631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:50:58.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/Skin/Skin.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.7, 1.44.4, 1.45.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files includes/Skin/Skin.Php.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Skin/Skin.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:00:29.819Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T384147"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Block UI elements in \u0027tools\u0027-sidebar shows presence of an autoblocked IP",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2026-34092",
"datePublished": "2026-05-11T15:00:29.819Z",
"dateReserved": "2026-03-25T17:15:46.522Z",
"dateUpdated": "2026-05-11T15:50:58.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}