Vulnerabilities in Wikimedia Foundation
118 resultsCVE-2025-67481NONEmw.message(…).parse() doesn't output safe HTML, but it's being used as if it doesEPSS 0.2%CVE-2025-61639LOWSuppressed blocked IP is visible in Special:BlockList, RC, and other placesEPSS 0.2%CVE-2025-61642NONEStored XSS through system messages provided to CodexHtmlFormsEPSS 0.2%CVE-2025-61637NONEStored XSS through system messages in MW CoreEPSS 0.2%CVE-2025-53489MEDIUMXSS in GoogleDocs4MWEPSS 0.2%CVE-2025-53490MEDIUMMultiple XSS in CampaignEventsEPSS 0.2%CVE-2025-61640NONEStored XSS through system messages in Special:RecentChangesLinked (MW Core)EPSS 0.2%CVE-2025-67475NONEStored XSS through edit summaries in MW CoreEPSS 0.2%CVE-2025-67480NONElist=allrevisions can be used to bypass Extension:LockdownEPSS 0.2%CVE-2025-61636NONECodex Special:Block vulnerable to message key XSSEPSS 0.2%CVE-2025-53502MEDIUMHTML injection in FeaturedFeedsEPSS 0.2%CVE-2025-7363MEDIUMTitleIcon: Stored Cross-Site Scripting (XSS) via #titleicon_unicode parser functionEPSS 0.2%CVE-2026-0671MEDIUMMultiple stored i18n/message-key XSSes in UploadWizardEPSS 0.2%CVE-2026-34095NONEaction=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript requestEPSS 0.2%CVE-2025-53488MEDIUMStored XSS in WikiHieroEPSS 0.2%CVE-2025-53482MEDIUMIPInfo: Message key XSS through several IPInfo messages in infobox and popupEPSS 0.2%CVE-2026-39837MEDIUMStored XSS through the dynamic table format in CargoEPSS 0.2%CVE-2025-7056MEDIUMStored XSS in UrlShortenerEPSS 0.2%CVE-2025-53483HIGHSecurePoll: Multiple admin actions vulnerable to Cross-Site Request ForgeryEPSS 0.2%CVE-2025-61651NONEi18n XSS through Special:CheckUser CheckUser helperEPSS 0.2%