Primary

Context

DokuWiki Denial-of-Service Vulnerability in Media Upload Function

Vulnerability

A denial-of-service vulnerability has been identified in DokuWiki version 2025-05-14b 'Librarian'. The issue arises in the media_upload_xhr() function within the media.php file, where the application improperly handles file names containing colons. This flaw allows remote attackers to create deeply nested directory structures, leading to CPU exhaustion and making the server unavailable.

Impact

Exploitation of this vulnerability causes CPU exhaustion, disrupting normal server operations and blocking legitimate requests.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/lib/exe/ajax.php' with the 'qqfile' parameter containing a crafted file name that includes multiple colons. This payload will be interpreted as a request to create nested directories, which can be exploited to exhaust server CPU resources.

Added: Apr 3, 2026, 3:17 PM

Updated: Apr 3, 2026, 3:17 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

9.5

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

9.5

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DokuWiki Denial-of-Service Vulnerability in Media Upload Function

Vulnerability

Impact

Reproduction

Affected Products

DokuWiki

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating