Search for packages
| purl | pkg:deb/debian/mediawiki@1:1.31.16-1%2Bdeb10u2 |
| Next non-vulnerable version | 1:1.43.8+dfsg-2 |
| Latest non-vulnerable version | 1:1.43.8+dfsg-2 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1na8-nyq1-yfcy
Aliases: CVE-2021-20270 GHSA-9w8r-397f-prfh PYSEC-2021-140 |
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
Affected by 39 other vulnerabilities. |
|
VCID-2wcb-hty6-uyez
Aliases: CVE-2025-32072 |
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.This issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43. |
Affected by 7 other vulnerabilities. |
|
VCID-2xja-2whv-fqe4
Aliases: CVE-2023-45362 |
mediawiki: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression |
Affected by 39 other vulnerabilities. |
|
VCID-32f4-khen-3yez
Aliases: CVE-2021-30159 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 39 other vulnerabilities. |
|
VCID-3zue-5ccg-23hs
Aliases: CVE-2025-67480 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. |
Affected by 7 other vulnerabilities. |
|
VCID-424y-cjxg-c7az
Aliases: CVE-2020-25815 GHSA-2f58-vf6g-6p8x |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text(). |
Affected by 39 other vulnerabilities. |
|
VCID-4dfp-3qk9-j7fg
Aliases: CVE-2021-35197 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 39 other vulnerabilities. |
|
VCID-4yhr-jjt9-afaq
Aliases: CVE-2025-61641 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-5myd-ngfx-5qhb
Aliases: CVE-2023-51704 |
mediawiki: group-.*-member messages are not properly escaped on Special:log/rights |
Affected by 7 other vulnerabilities. |
|
VCID-674z-nf4t-b7ez
Aliases: CVE-2022-29248 GHSA-cwmx-hcrq-mhc3 |
Cross-domain cookie leakage in Guzzle ### Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account. Note that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `['cookies' => true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3. ### Workarounds If you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off. ### References * [RFC6265 Section 5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 39 other vulnerabilities. |
|
VCID-6ads-gs3n-dubh
Aliases: CVE-2021-30458 GHSA-5pqx-77vf-85rw |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 39 other vulnerabilities. |
|
VCID-73p6-esc6-tydd
Aliases: CVE-2020-35478 |
mediawiki: potential XSS via MediaWiki:blanknamespace outputting Block Logs |
Affected by 39 other vulnerabilities. |
|
VCID-74ej-8sna-jyek
Aliases: CVE-2025-32698 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 7 other vulnerabilities. |
|
VCID-7ar6-14bb-yfc5
Aliases: CVE-2020-35480 |
mediawiki: divergent behavior for contributions and user pages of hidden users and missing users |
Affected by 39 other vulnerabilities. |
|
VCID-7eba-7gsc-hbfg
Aliases: CVE-2023-29141 GHSA-5vj8-g3qg-4qh6 |
X-Forwarded-For header allows brute-forcing autoblocked IP addresses An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. |
Affected by 39 other vulnerabilities. |
|
VCID-7j54-uz1w-y3dn
Aliases: CVE-2021-41801 |
security update |
Affected by 39 other vulnerabilities. |
|
VCID-7m3q-wuh7-k7fn
Aliases: CVE-2021-30154 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 39 other vulnerabilities. |
|
VCID-7wh4-say2-pqap
Aliases: CVE-2025-61656 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-812q-n5hg-u7dx
Aliases: CVE-2020-35474 |
mediawiki: message recentchanges-legend-watchlistexpiry can contain raw html |
Affected by 39 other vulnerabilities. |
|
VCID-8sqw-6aae-13f5
Aliases: CVE-2021-30157 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 39 other vulnerabilities. |
|
VCID-8uw8-ja3w-r3da
Aliases: CVE-2025-11261 |
MediaWiki: MediaWiki: Cross-site Scripting (XSS) vulnerability |
Affected by 7 other vulnerabilities. |
|
VCID-92hf-r3sb-jbhy
Aliases: CVE-2021-44855 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-9346-9aaj-fkfw
Aliases: CVE-2022-41765 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-95d1-mkm6-r3cq
Aliases: CVE-2025-6591 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0. |
Affected by 7 other vulnerabilities. |
|
VCID-9exs-x5s1-4bhg
Aliases: CVE-2022-31042 GHSA-f2wf-25xc-69c9 |
Failure to strip the Cookie header on change in host or HTTP downgrade ### Impact `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 39 other vulnerabilities. |
|
VCID-9g1g-z7d8-c7ah
Aliases: CVE-2020-36649 GHSA-qvjc-g5vr-mfgr GMS-2020-421 |
Regular Expression Denial of Service in papaparse Versions of `papaparse` prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The `parse` function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service. ## Recommendation Upgrade to version 5.2.0 or later. |
Affected by 39 other vulnerabilities. |
|
VCID-9nnu-4mda-7qg9
Aliases: CVE-2021-41798 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-9xyz-wzr8-wqhz
Aliases: CVE-2022-31090 GHSA-25mq-v84q-4j7r GMS-2022-2528 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-a8nh-mvhd-bka7
Aliases: CVE-2025-6597 |
MediaWiki: MediaWiki: Vulnerability in authentication management |
Affected by 7 other vulnerabilities. |
|
VCID-ad34-frk5-kqds
Aliases: CVE-2021-30158 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 39 other vulnerabilities. |
|
VCID-arzd-7xhw-qqb4
Aliases: CVE-2020-25827 GHSA-rqvj-fc2x-99q6 |
OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. |
Affected by 39 other vulnerabilities. |
|
VCID-av7r-cpew-xkcn
Aliases: CVE-2021-45038 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-azup-qzq7-sbh6
Aliases: CVE-2020-25814 GHSA-4vr7-m8p8-434h |
MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. |
Affected by 39 other vulnerabilities. |
|
VCID-b5ke-cjtq-q3ev
Aliases: CVE-2025-6595 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer.This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. |
Affected by 7 other vulnerabilities. |
|
VCID-b8r6-r39r-3ffm
Aliases: CVE-2023-36674 |
MediaWiki: Manualthumb bypasses badFile lookup |
Affected by 39 other vulnerabilities. |
|
VCID-brg4-rv29-1fgz
Aliases: CVE-2021-27291 GHSA-pq64-v7f5-gqh8 PYSEC-2021-141 |
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-c8zy-wsn9-63af
Aliases: CVE-2021-41799 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-ckkj-z5nq-akhb
Aliases: CVE-2021-44857 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-d6kz-e82q-6kh3
Aliases: CVE-2020-35479 |
mediawiki: potential XSS via the month messages such as MediaWiki:january through MediaWiki:december outputting Block Logs |
Affected by 39 other vulnerabilities. |
|
VCID-den1-257q-euc9
Aliases: CVE-2025-61653 |
Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php. This issue affects TextExtracts: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-e8np-4nbw-t3b3
Aliases: CVE-2025-11173 |
Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-ea7c-xk4h-13fs
Aliases: CVE-2023-3550 |
mediawiki: stored XSS leads to privilege escalation |
Affected by 39 other vulnerabilities. |
|
VCID-eefm-65rj-pyg2
Aliases: CVE-2021-44858 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-fnzm-dxb3-v7hr
Aliases: CVE-2021-30153 |
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor. |
Affected by 39 other vulnerabilities. |
|
VCID-fptt-2t1j-8fec
Aliases: CVE-2025-61639 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-fwb3-kxy8-73hz
Aliases: CVE-2020-35477 |
mediawiki: unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage |
Affected by 39 other vulnerabilities. |
|
VCID-h3d2-nr9e-nqbk
Aliases: CVE-2025-6926 |
Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. |
Affected by 7 other vulnerabilities. |
|
VCID-h789-pcxv-kbgd
Aliases: CVE-2025-6590 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0. |
Affected by 7 other vulnerabilities. |
|
VCID-h8jw-brz8-hkfn
Aliases: CVE-2020-25812 GHSA-rj9p-8jxj-2ch4 |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.34.x before 1.34.3. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML. |
Affected by 39 other vulnerabilities. |
|
VCID-j1bz-4bex-4key
Aliases: CVE-2020-35475 |
mediawiki: messages userrights-expiry-current and userrights-expiry-none can contain raw html |
Affected by 39 other vulnerabilities. |
|
VCID-jm7q-2w3j-buhh
Aliases: CVE-2023-45363 GHSA-w5fx-cx7f-6vr9 |
MediaWiki Denial of Service vulnerability An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. |
Affected by 39 other vulnerabilities. |
|
VCID-jwkd-wdus-6ygg
Aliases: CVE-2022-47927 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-k1f5-msra-4kam
Aliases: CVE-2021-30155 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 39 other vulnerabilities. |
|
VCID-k7qb-7hbj-1qc2
Aliases: CVE-2025-6594 |
MediaWiki: MediaWiki: Cross-site Scripting vulnerability via improper input neutralization |
Affected by 7 other vulnerabilities. |
|
VCID-m1j5-3ecf-dffj
Aliases: CVE-2022-28202 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-m1xy-yucr-dqfs
Aliases: CVE-2025-61635 |
Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit: *. |
Affected by 7 other vulnerabilities. |
|
VCID-m7uw-sa5j-u3bw
Aliases: CVE-2025-67481 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. |
Affected by 7 other vulnerabilities. |
|
VCID-mbs4-gs37-1fh5
Aliases: CVE-2025-61646 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-nwsr-ruca-2kha
Aliases: CVE-2022-31043 GHSA-w248-ffj2-4v5q |
Fix failure to strip Authorization header on HTTP downgrade ### Impact `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 39 other vulnerabilities. |
|
VCID-pm3s-z5ap-qqay
Aliases: CVE-2025-61640 |
MediaWiki: MediaWiki: Arbitrary code execution via Cross-site Scripting (XSS) |
Affected by 7 other vulnerabilities. |
|
VCID-pm5t-23j4-6yh6
Aliases: CVE-2020-25828 GHSA-h8qx-mj6v-2934 |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) |
Affected by 39 other vulnerabilities. |
|
VCID-pw9d-1cwb-tyb9
Aliases: CVE-2022-28201 |
security update |
Affected by 39 other vulnerabilities. |
|
VCID-pwjk-pzpj-aff6
Aliases: CVE-2025-32699 |
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2. |
Affected by 7 other vulnerabilities. |
|
VCID-qjhk-97j6-2qfm
Aliases: CVE-2021-44854 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-qpgu-mg6m-vyef
Aliases: CVE-2025-67482 |
Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a. |
Affected by 7 other vulnerabilities. |
|
VCID-qqvd-cjs3-7kab
Aliases: CVE-2022-34912 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-qwcp-5hh8-z3gp
Aliases: CVE-2022-41767 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-ruur-4cvx-cqct
Aliases: CVE-2023-36675 |
mediawiki: cross site scripting |
Affected by 39 other vulnerabilities. |
|
VCID-rwtk-hep1-xfaw
Aliases: CVE-2021-30152 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 39 other vulnerabilities. |
|
VCID-rz65-w7x5-57hu
Aliases: CVE-2022-34911 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-sc5s-s7vg-dygq
Aliases: CVE-2024-34506 |
mediawiki: denial of service |
Affected by 39 other vulnerabilities. |
|
VCID-sca5-n7rz-rffq
Aliases: CVE-2021-44856 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-sr9a-a6vt-1qgt
Aliases: CVE-2025-61638 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1. |
Affected by 7 other vulnerabilities. |
|
VCID-tutk-y8jg-n7dh
Aliases: CVE-2025-67478 |
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-ujdn-y48t-pbch
Aliases: CVE-2020-25813 GHSA-c4rj-wrmq-52rj |
MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users. |
Affected by 39 other vulnerabilities. |
|
VCID-v3dp-7stt-tygf
Aliases: CVE-2025-67475 |
MediaWiki: MediaWiki: Cross-site Scripting vulnerability due to improper input neutralization |
Affected by 7 other vulnerabilities. |
|
VCID-vjd5-jv5h-yfhw
Aliases: CVE-2025-61655 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-w51y-hprj-buap
Aliases: CVE-2025-32696 |
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 7 other vulnerabilities. |
|
VCID-wraf-59ce-u3br
Aliases: CVE-2025-67479 |
MediaWiki: MediaWiki: Vulnerability in parsing and sanitization |
Affected by 7 other vulnerabilities. |
|
VCID-wzqf-k99e-vbeu
Aliases: CVE-2022-31091 GHSA-q559-8m2m-g699 GMS-2022-2529 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-xtd9-wbd9-67ew
Aliases: CVE-2025-6593 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. |
Affected by 7 other vulnerabilities. |
|
VCID-yakw-r8bh-5bde
Aliases: CVE-2022-28203 |
security update |
Affected by 39 other vulnerabilities. |
|
VCID-z3qw-4ejj-uffj
Aliases: CVE-2025-3469 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 7 other vulnerabilities. |
|
VCID-z8qp-v64u-tuh8
Aliases: CVE-2025-67484 |
MediaWiki: MediaWiki: Vulnerability in ApiFormatXml.Php requiring high privileges |
Affected by 7 other vulnerabilities. |
|
VCID-z9d9-aer5-gfa9
Aliases: CVE-2021-41800 GHSA-c8wv-qwwc-6j73 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-zj5a-p9u4-ducw
Aliases: CVE-2023-45360 |
mediawiki: XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages |
Affected by 39 other vulnerabilities. |
|
VCID-ztxx-cc2c-87at
Aliases: CVE-2025-61643 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1697-p35n-fber | Wikimedia MediaWiki allows CSRF Wikimedia MediaWiki through 1.32.1 allows CSRF in logout feature. |
CVE-2019-12466
GHSA-27fw-r78j-h898 |
| VCID-1866-gt2g-1qfv | MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12469
GHSA-x3fr-w7r5-x7rg |
| VCID-1na8-nyq1-yfcy | An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
CVE-2021-20270
GHSA-9w8r-397f-prfh PYSEC-2021-140 |
| VCID-32f4-khen-3yez | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
CVE-2021-30159
|
| VCID-3s9f-prpy-hbcx | Cross-site Scripting The jQuery library, which is included in rdoc, mishandles `jQuery.extend(true, {}, ...)` because of Object.prototype pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype.` |
CVE-2019-11358
GHSA-6c3j-c64m-qhgq |
| VCID-4dfp-3qk9-j7fg | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
CVE-2021-35197
|
| VCID-4keq-jcfa-13hc | Possible to circumvent title-blacklist MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. |
CVE-2019-19709
GHSA-pjv5-vv93-p648 |
| VCID-7ar6-14bb-yfc5 | mediawiki: divergent behavior for contributions and user pages of hidden users and missing users |
CVE-2020-35480
|
| VCID-7j54-uz1w-y3dn | security update |
CVE-2021-41801
|
| VCID-7m3q-wuh7-k7fn | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
CVE-2021-30154
|
| VCID-8sqw-6aae-13f5 | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
CVE-2021-30157
|
| VCID-9nnu-4mda-7qg9 | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
CVE-2021-41798
|
| VCID-ad34-frk5-kqds | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
CVE-2021-30158
|
| VCID-arzd-7xhw-qqb4 | OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. |
CVE-2020-25827
GHSA-rqvj-fc2x-99q6 |
| VCID-at9r-vw7p-6bfv | MediaWiki makeCollapsible allows applying event handler to any CSS selector In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS). |
CVE-2020-10960
GHSA-pfm2-mqwj-ggm5 |
| VCID-azup-qzq7-sbh6 | MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. |
CVE-2020-25814
GHSA-4vr7-m8p8-434h |
| VCID-bbef-akjp-a3gp | Wikimedia Potential DOS due to slow WatchedItemStore::countVisitingWatchersMultiple Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12473
GHSA-33xw-x3pr-rvqj |
| VCID-brg4-rv29-1fgz | In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
CVE-2021-27291
GHSA-pq64-v7f5-gqh8 PYSEC-2021-141 |
| VCID-c8zy-wsn9-63af | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
CVE-2021-41799
|
| VCID-d6kz-e82q-6kh3 | mediawiki: potential XSS via the month messages such as MediaWiki:january through MediaWiki:december outputting Block Logs |
CVE-2020-35479
|
| VCID-eud3-k24q-6ber | Multiple vulnerabilities have been found in Firejail, the worst of which could result in the arbitrary execution of code. |
CVE-2020-17368
|
| VCID-fwb3-kxy8-73hz | mediawiki: unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage |
CVE-2020-35477
|
| VCID-gma6-b9cy-kqee | MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12467
GHSA-6vfg-8ppv-h5hg |
| VCID-h8jw-brz8-hkfn | MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.34.x before 1.34.3. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML. |
CVE-2020-25812
GHSA-rj9p-8jxj-2ch4 |
| VCID-j1bz-4bex-4key | mediawiki: messages userrights-expiry-current and userrights-expiry-none can contain raw html |
CVE-2020-35475
|
| VCID-k1f5-msra-4kam | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
CVE-2021-30155
|
| VCID-kjp3-cs2f-t7b4 | MediaWiki Cross-site Scripting (XSS) Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12471
GHSA-2rm7-xxx8-35jh |
| VCID-pm5t-23j4-6yh6 | MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) |
CVE-2020-25828
GHSA-h8qx-mj6v-2934 |
| VCID-qmx3-kcnd-zuhe | Wikimedia MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. |
CVE-2019-12468
GHSA-wrhx-3pxr-6vgg |
| VCID-rwtk-hep1-xfaw | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
CVE-2021-30152
|
| VCID-sf61-byhw-17gv | Mediawiki Improper Privilege Management Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'. |
CVE-2018-0503
GHSA-mhfv-9h99-jwg7 |
| VCID-t6w8-cgct-gbgz | MediaWiki information disclosure In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. |
CVE-2019-16738
GHSA-7hwr-f745-5rwq |
| VCID-tq2e-c9ym-a3hj | Wikimedia information leak vulnerability Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12474
GHSA-2qrr-c2gh-pr35 |
| VCID-u2xc-ztge-p3bv | MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12472
GHSA-7mqg-5fgh-xh4r |
| VCID-ujdn-y48t-pbch | MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users. |
CVE-2020-25813
GHSA-c4rj-wrmq-52rj |
| VCID-uzv4-9xtx-ryhr | Multiple vulnerabilities have been found in Firejail, the worst of which could result in the arbitrary execution of code. |
CVE-2020-17367
|
| VCID-v27j-4pnt-n7h9 | Mediawiki BotPassword can bypass CentralAuth's account lock Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock |
CVE-2018-0505
GHSA-5c6w-f4w2-2grp |
| VCID-w3f8-nrqd-p7gq | Mediawiki information disclosure vulnerability Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid |
CVE-2018-0504
GHSA-hr8v-f4g2-p66f |
| VCID-yr8d-347g-pugg | Wikimedia MediaWik exposed suppressed log in RevisionDelete page Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12470
GHSA-733q-m38x-q7cc |
| VCID-z9d9-aer5-gfa9 | Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
CVE-2021-41800
GHSA-c8wv-qwwc-6j73 |
| VCID-zgdf-mxfn-gbea | img_auth.php may leak private extension images into the public cache In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled. |
CVE-2020-15005
GHSA-xpv7-93cm-4mxv |