Skip to main content

Wikimedia Foundation MediaWiki EUVDEUVD-2026-19897

| CVE-2026-5762 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-07 c4f26cc8-17ff-4c99-b5e2-38fc1793eacc GHSA-grmr-hpr9-gww7
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 19:22 euvd
EUVD-2026-19897
Analysis Generated
Apr 07, 2026 - 19:22 vuln.today
CVE Published
Apr 07, 2026 - 19:16 nvd
MEDIUM 5.3

DescriptionCVE.org

Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS.This issue affects MediaWiki - ReportIncident Extension: 1.43.7, 1.44.4, 1.45.2.

AnalysisAI

Denial-of-service via unthrottled resource allocation in the Wikimedia MediaWiki ReportIncident Extension allows authenticated remote attackers to trigger HTTP DoS by exhausting server resources without rate limiting. Affected versions include ReportIncident 1.43.7, 1.44.4, and 1.45.2. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), a resource management flaw where the ReportIncident Extension for MediaWiki fails to implement rate limiting or quota enforcement on resource-intensive operations. This allows authenticated users to repeatedly trigger operations that consume server resources (memory, CPU, disk I/O, or network bandwidth) without constraints. The extension is a Wikimedia Foundation component that handles incident reporting workflows, and the absence of throttling controls on these workflows creates a denial-of-service vector. The affected CPE is implicitly mediawiki extensions reportincident across versions 1.43.7, 1.44.4, and 1.45.2.

RemediationAI

Update the ReportIncident Extension to a patched version released after the identified vulnerable versions (1.43.7, 1.44.4, 1.45.2). The Gerrit change at gerrit.wikimedia.org/r/c/mediawiki/extensions/ReportIncident/+/1226884 contains the upstream fix and should be pulled into production deployments. Administrators should consult the Phabricator ticket (phabricator.wikimedia.org/T411394) for specific patched version numbers and release timing. As a temporary workaround pending patching, implement rate limiting or throttling at the web server level (nginx, Apache) for endpoints associated with incident reporting, or restrict access to the ReportIncident extension to trusted user groups only.

Share

EUVD-2026-19897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy