Skip to main content

MediaWiki CVE-2026-34088

| EUVD-2026-29060 LOW
Information Exposure (CWE-200)
2026-05-11 wikimedia-foundation GHSA-wpmg-m9mx-w7pj
Information Disclosure Mediawiki
1.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 18:00 vuln.today
Patch available
May 11, 2026 - 17:01 EUVD
CVSS changed
May 11, 2026 - 16:22 NVD
1.3 (LOW)
CVE Published
May 11, 2026 - 14:43 nvd
LOW 1.3
CVE Published
May 11, 2026 - 14:43 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.

This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

AnalysisAI

MediaWiki before versions 1.43.7, 1.44.4, and 1.45.2 exposes sensitive information to unauthorized actors through a vulnerability requiring user interaction. The flaw allows information disclosure via network access without authentication, though impact is limited (CVSS 1.3) and requires user participation to trigger. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker visits MediaWiki instance
Exploit
Performs user interaction to trigger vulnerability
Execution
Sensitive information exposed in response
Impact
Information harvested or analyzed for further attacks
Sign in to reveal

Vulnerability AssessmentAI

Exploitation User interaction is mandatory (UI:P in CVSS vector) - the vulnerability does not trigger automatically on page load or unauthenticated access alone. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the extremely low CVSS score of 1.3, this vulnerability warrants careful assessment rather than dismissal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker visits a MediaWiki instance and performs a specific user-driven action that triggers the information disclosure vulnerability. For example, they may interact with a particular feature, access a crafted URL, or submit form data in an unexpected way that causes the site to inadvertently reveal sensitive information (such as internal configuration, user session tokens, or admin-only data) in the response. …
Remediation Upgrade immediately to patched versions: MediaWiki 1.43.7 or later, 1.44.4 or later, or 1.45.2 or later - choose the series matching your current deployment. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-34088 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy