Primary

Context

Wikimedia Foundation MediaWiki Sensitive Information Exposure Vulnerability

Vulnerability

Patched

A vulnerability allowing the exposure of sensitive information from private wikis has been identified in Wikimedia Foundation MediaWiki versions prior to 1.39.12, 1.42.76, 1.43.1, and 1.44.0. This issue arises from the PasswordReset Wikitext injection in error messages, which can be exploited to leak private content.

Impact

Exploitation of this vulnerability leads to a complete content leak of private wikis.

Reproduction

To reproduce this vulnerability, initiate a password reset on a private wiki. Inject Wikitext, such as a template transclusion, into the username field. The error message generated will process the Wikitext, including the injected template, which can be used to exfiltrate information from the private wiki.

Remediation

Users can update to MediaWiki versions 1.39.13, 1.42.77, 1.43.2, or 1.45.0-wmf.8, where this vulnerability has been patched.

Added: Feb 2, 2026, 11:49 PM

Updated: Feb 2, 2026, 11:49 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

9.7

remediation

7.7

relevance

2.4

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

9.7

remediation

7.7

relevance

2.4

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wikimedia Foundation MediaWiki Sensitive Information Exposure Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Wikimedia Foundation MediaWiki

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating