Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS.This issue affects MediaWiki - ReportIncident Extension: 1.43.7, 1.44.4, 1.45.2.
AnalysisAI
Denial-of-service via unthrottled resource allocation in the Wikimedia MediaWiki ReportIncident Extension allows authenticated remote attackers to trigger HTTP DoS by exhausting server resources without rate limiting. Affected versions include ReportIncident 1.43.7, 1.44.4, and 1.45.2. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), a resource management flaw where the ReportIncident Extension for MediaWiki fails to implement rate limiting or quota enforcement on resource-intensive operations. This allows authenticated users to repeatedly trigger operations that consume server resources (memory, CPU, disk I/O, or network bandwidth) without constraints. The extension is a Wikimedia Foundation component that handles incident reporting workflows, and the absence of throttling controls on these workflows creates a denial-of-service vector. The affected CPE is implicitly mediawiki extensions reportincident across versions 1.43.7, 1.44.4, and 1.45.2.
RemediationAI
Update the ReportIncident Extension to a patched version released after the identified vulnerable versions (1.43.7, 1.44.4, 1.45.2). The Gerrit change at gerrit.wikimedia.org/r/c/mediawiki/extensions/ReportIncident/+/1226884 contains the upstream fix and should be pulled into production deployments. Administrators should consult the Phabricator ticket (phabricator.wikimedia.org/T411394) for specific patched version numbers and release timing. As a temporary workaround pending patching, implement rate limiting or throttling at the web server level (nginx, Apache) for endpoints associated with incident reporting, or restrict access to the ReportIncident extension to trusted user groups only.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19897
GHSA-grmr-hpr9-gww7