Skip to main content

Wikimedia AbuseFilter CVE-2026-34086

| EUVDEUVD-2026-29058 LOW
Improper Input Validation (CWE-20)
2026-05-11 wikimedia-foundation GHSA-5qc5-wp75-wxgx
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
P
Scope
N

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 18:00 vuln.today
Patch available
May 11, 2026 - 17:01 EUVD
CVSS changed
May 11, 2026 - 16:22 NVD
2.1 (LOW)
CVE Published
May 11, 2026 - 14:35 nvd
LOW 2.1
CVE Published
May 11, 2026 - 14:35 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Vulnerability in Wikimedia Foundation AbuseFilter.

This issue affects AbuseFilter: from * before 1.43.7, 1.44.4, 1.45.2.

AnalysisAI

Information disclosure in Wikimedia Foundation AbuseFilter allows low-privileged authenticated users with user interaction to access limited confidential data through a network vector. The vulnerability affects AbuseFilter versions prior to 1.43.7, 1.44.4, and 1.45.2, with very low CVSS score (2.1) indicating minimal real-world impact but potential for sensitive information leakage in filtered content or filter logic contexts.

Technical ContextAI

AbuseFilter is a content-moderation tool deployed in Wikimedia installations that uses rule-based filtering to identify and manage abusive contributions. The vulnerability appears to involve improper access controls or information exposure in the filter mechanism itself, likely triggered through a network interface requiring low-privilege authentication and user interaction. CPE cpe:2.3:a:wikimedia_foundation:abusefilter:*:*:*:*:*:*:*:* confirms the affected component. While specific CWE is not provided, the CVSS 4.0 vector indicating confidentiality impact (VC:L/VI:L) and scope limitation (S:N) suggests a logic flaw in access control or data exposure in filter operations.

RemediationAI

Upgrade AbuseFilter to version 1.43.7, 1.44.4, or 1.45.2 or later, depending on which release track is in use. Vendor-released patches are available per Wikimedia Foundation. For environments unable to patch immediately, restrict access to filter administration and management interfaces to trusted administrators, and monitor filter-related logs for suspicious user interactions that may indicate exploitation attempts. Review access controls on accounts with low-privilege filter permissions to ensure least-privilege principles are enforced.

Share

CVE-2026-34086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy