Vulnerabilities in The Wikimedia Foundation
62 resultsCVE-2026-39935MEDIUMXSS-via-i18n in localised wiki namesEPSS 0.3%CVE-2025-12004CRITICALThe compare API module breaks Extension:LockdownEPSS 0.3%CVE-2025-62654LOWStored XSS through system messages in QuizGameEPSS 0.3%CVE-2025-62653LOWStored XSS through system messages in PollNYEPSS 0.3%CVE-2026-39936MEDIUMStored XSS in Score due to usage of non-reserved data attributesEPSS 0.3%CVE-2025-62659LOWThe CookieConsent extension does not properly use reserved data attributes, thus introducing potential XSS vectorsEPSS 0.3%CVE-2024-47846MEDIUMSpecial:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protectionEPSS 0.3%CVE-2026-39937HIGHGlobal vanishing does not completely remove user emailEPSS 0.3%CVE-2025-62655LOWSQL injection in Cargo via Special:CargoExportEPSS 0.2%CVE-2025-62656MEDIUMGlobalBlocking Special:GlobalBlockList vulnerable to message key stored XSSEPSS 0.2%CVE-2025-62657MEDIUMStored XSS through system messages in PageFormsEPSS 0.2%CVE-2025-32068MEDIUMRevoking authorization of OAuth2 consumer does not invalidate refresh tokensEPSS 0.2%CVE-2025-62658HIGHSQL injection in WatchAnalytics through Special:ClearPendingReviewsEPSS 0.2%CVE-2026-22712LOWApprovedRevs allows bypassing the inline CSS sanitizerEPSS 0.2%CVE-2025-32069MEDIUMWikitext stored XSS on filepages due to dangerous WBMI serializationEPSS 0.2%CVE-2025-32067MEDIUMi18n XSS vulnerability in message growthexperimentsEPSS 0.2%CVE-2025-32071MEDIUMWikibase CommonsInlineImageFormatter: i18n XSSEPSS 0.2%CVE-2025-32070MEDIUMXSSes in AJAXPollEPSS 0.2%CVE-2025-32074MEDIUMXSSes in Extension:ConfirmAccountEPSS 0.2%CVE-2025-32073MEDIUMSystem message XSS in HTMLTagsEPSS 0.2%