MediaWiki 1.38.0 Release Candidate 1

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:mediawiki:mediawiki:1.38.0:rc1:*:*:*:*:*:*

part: a version: 1.38.0 update: rc1

VendorMediawiki (cdb1ca1d-4622-5407-a7d8-3e891579b8c5)
ProductMediawiki (ab97168e-95e7-5d6e-a2ac-f8d27117dc4d)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from NVD CPE 2.0 feed

PURL mappings

PURLSourceLast updated
pkg:github/wikimedia/mediawiki purl2cpe 2026-06-01 10:10:57.618865
pkg:wikimedia/mediawiki purl2cpe 2026-06-01 10:10:57.618867

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2022-34912 vulnerable 2026-06-03 14:47:37.456467 Details available
An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.
Published: 2022-07-02T00:00:00.000Z
Updated: 2024-08-03T09:22:10.828Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-34911 vulnerable 2026-06-03 14:47:37.455854 Details available
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text().
Published: 2022-07-02T00:00:00.000Z
Updated: 2024-08-03T09:22:10.647Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.