CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32068 – Revoking authorization of OAuth2 consumer does not invalidate refresh tokens
https://notcve.org/view.php?id=CVE-2025-32068
11 Apr 2025 — Incorrect Authorization vulnerability in The Wikimedia Foundation Mediawiki - OAuth Extension allows Authentication Bypass.This issue affects Mediawiki - OAuth Extension: from 1.39 through 1.43. • https://gerrit.wikimedia.org/r/q/I27b61af2cdfb862a42432e7a87b863033d540cfc • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32069 – Wikitext stored XSS on filepages due to dangerous WBMI serialization
https://notcve.org/view.php?id=CVE-2025-32069
11 Apr 2025 — Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Media Info Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Media Info Extension: from 1.39 through 1.43. • https://gerrit.wikimedia.org/r/q/Ie969a8cfeab0d4457417773fa884e271968e5657 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32070 – XSSes in AJAXPoll
https://notcve.org/view.php?id=CVE-2025-32070
11 Apr 2025 — Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - AJAX Poll Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - AJAX Poll Extension: from 1.39 through 1.43. • https://gerrit.wikimedia.org/r/q/Ib59c59b2cd36928ab200149c851e2bfcf5cf920c • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32071 – Wikibase CommonsInlineImageFormatter: i18n XSS
https://notcve.org/view.php?id=CVE-2025-32071
11 Apr 2025 — Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS) from widthheight message via ImageHandler::getDimensionsString()This issue affects Mediawiki - Wikidata Extension: from 1.39 through 1.43. Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS) from widthheight message via ImageHandler::getDimensionsString()This issue affects Mediawiki - Wikidata Ext... • https://gerrit.wikimedia.org/r/q/Iac1f1c27054bfd1a4a4251281ab8c72f59204a90 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32700 – AbuseFilter log interfaces expose global private and hidden filters when central DB is not available
https://notcve.org/view.php?id=CVE-2025-32700
10 Apr 2025 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php. This issue affects AbuseFilter: from >= 1.43.0 before 1.43.1. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure, ... • https://phabricator.wikimedia.org/T389235 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-32699 – Potential javascript injection attack enabled by Unicode normalization in Action API
https://notcve.org/view.php?id=CVE-2025-32699
10 Apr 2025 — Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure, cross-site scripting or restriction bypass. • https://phabricator.wikimedia.org/T387130 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32698 – LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions
https://notcve.org/view.php?id=CVE-2025-32698
10 Apr 2025 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure, cross-site scripting or restriction bypass. • https://phabricator.wikimedia.org/T385958 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32697 – Cascading protection is not preventing file reversions
https://notcve.org/view.php?id=CVE-2025-32697
10 Apr 2025 — Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php. This issue affects MediaWiki: before 1.42.6, 1.43.1. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure, cross-site scripting or restriction bypass. • https://phabricator.wikimedia.org/T140010 • CWE-281: Improper Preservation of Permissions •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32696 – "reupload-own" restriction can be bypassed by reverting file
https://notcve.org/view.php?id=CVE-2025-32696
10 Apr 2025 — Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure, cross-site scripting or restriction bypass. • https://phabricator.wikimedia.org/T304474 • CWE-281: Improper Preservation of Permissions •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23074 – Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed)
https://notcve.org/view.php?id=CVE-2025-23074
14 Jan 2025 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - SocialProfile Extension allows Functionality Misuse.This issue affects Mediawiki - SocialProfile Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. • https://gerrit.wikimedia.org/r/q/I4b77ced314bc6cea0ef3657a82e7467d3661fe2a • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •