Nixpkgs Security Tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: mediawiki

Found 36 matching suggestions

Dismissed
Permalink CVE-2025-6593
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 5 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
"{{SITENAME}} registered email address has been changed" email sent to unverified email addresses

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Affected products

MediaWiki
  • <1.39.13, 1.42.7 1.43.2, 1.44.0

Matching in nixpkgs

Package maintainers

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)
Dismissed
Permalink CVE-2025-61645
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
CodexTablePager has i18n XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1.

Affected products

MediaWiki
  • <1.44.1

Matching in nixpkgs

Package maintainers

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)
Published
Permalink CVE-2025-67481
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Published
Permalink CVE-2025-67475
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Stored XSS through edit summaries in MW Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Published
Permalink CVE-2025-67476
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Importing leaks IP address of importer via EventStreams

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Published
Permalink CVE-2025-67484
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Action API xslt option allows JavaScript execution by administrators who are not interface administrators

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Dismissed
Permalink CVE-2025-67480
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
list=allrevisions can be used to bypass Extension:Lockdown

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

This extension does not seem present in nixpkgs
Published
Permalink CVE-2025-67483
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Published
Permalink CVE-2025-67477
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Stored XSS through a system message in Special:ApiSandbox

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Published
Permalink CVE-2025-11261
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Stored i18n XSS exposed by security patch for T402077

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2.

Affected products

MediaWiki
  • <1.39.15, 1.43.5, 1.44.2

Matching in nixpkgs

Package maintainers