GCVE - cpe:2.3:a:mediawiki:mediawiki:1.39.0:-:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:mediawiki:mediawiki:1.39.0:-:*:*:*:*:*:*

part: a version: 1.39.0 update: -

Vendor	Mediawiki (`cdb1ca1d-4622-5407-a7d8-3e891579b8c5`)
Product	Mediawiki (`ab97168e-95e7-5d6e-a2ac-f8d27117dc4d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/wikimedia/mediawiki`	purl2cpe	2026-06-01 10:10:57.667014
`pkg:wikimedia/mediawiki`	purl2cpe	2026-06-01 10:10:57.667015

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-0669`	not_vulnerable	2026-06-03 15:14:42.520251	Path Traversal vulnerability in CSS extension on certain web servers Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wikimedia Foundation MediaWiki - CSS extension allows Path Traversal.This issue affects MediaWiki - CSS extension: 1.44, 1.43, 1.39. Published: 2026-01-07T17:46:57.285Z Updated: 2026-01-07T19:21:57.287Z Open on db.gcve.eu Reference links https://phabricator.wikimedia.org/T401526 https://gerrit.wikimedia.org/r/q/Ia15bf3f2e5a341868568492a736ac3dbf706c22e	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-22912`	vulnerable	2026-06-03 14:49:20.478928	Details available An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt. Published: 2023-01-20T00:00:00.000Z Updated: 2025-04-03T15:13:11.169Z Open on db.gcve.eu Reference links https://phabricator.wikimedia.org/T315123	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-22911`	vulnerable	2026-06-03 14:49:20.478500	Details available An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context. Published: 2023-01-10T00:00:00.000Z Updated: 2025-04-07T18:36:08.229Z Open on db.gcve.eu Reference links https://phabricator.wikimedia.org/T149488 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-22910`	vulnerable	2026-06-03 14:49:20.478040	Details available An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. Published: 2023-01-20T00:00:00.000Z Updated: 2025-04-03T15:15:05.898Z Open on db.gcve.eu Reference links https://phabricator.wikimedia.org/T323592	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-22909`	vulnerable	2026-06-03 14:49:20.476469	Details available An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow. Published: 2023-01-10T00:00:00.000Z Updated: 2025-04-07T18:36:40.333Z Open on db.gcve.eu Reference links https://phabricator.wikimedia.org/T320987 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-47927`	vulnerable	2026-06-03 14:48:27.885917	Details available An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data. Published: 2023-01-12T00:00:00.000Z Updated: 2025-04-08T15:40:49.975Z Open on db.gcve.eu Reference links https://phabricator.wikimedia.org/T322637 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/ https://security.gentoo.org/glsa/202305-24 https://lists.debian.org/debian-lts-announce/2023/07/msg00011.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-39193`	vulnerable	2026-06-03 14:47:51.216276	Details available An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with suppression rights. Published: 2023-01-20T00:00:00.000Z Updated: 2025-04-03T16:11:19.802Z Open on db.gcve.eu Reference links https://phabricator.wikimedia.org/T311337	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.