Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible, unauthenticated bypass with no interaction; uniform Low C/I/A impact reflects scoped extension access, not full site compromise.
Primary rating from Vendor (wikimedia-foundation).
CVSS VectorVendor: wikimedia-foundation
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass.
This issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.
AnalysisAI
Authentication bypass in the Wikimedia Foundation's WikiLambda extension for MediaWiki allows unauthenticated remote attackers to circumvent access controls via improper neutralization of input terminator characters (CWE-288). Affected are all WikiLambda deployments running versions prior to 1.43.9, 1.44.6, and 1.45.4 across the supported MediaWiki release branches. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The WikiLambda extension must be installed and enabled on the target MediaWiki instance - sites running core MediaWiki without this extension are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is a fully remote, unauthenticated, low-complexity exploit requiring no user interaction - characteristics that place it at elevated operational priority despite the moderate base score of 6.9. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to a WikiLambda-enabled MediaWiki instance, embedding input terminator characters (such as null bytes or newlines) within a parameter processed by the extension's authentication logic. The terminator causes the parser to exit the auth validation routine prematurely via an alternate code path, granting the attacker access to WikiLambda API actions that should require authentication. … |
| Remediation | Upgrade the WikiLambda extension to version 1.43.9 or later on MediaWiki 1.43.x branches, 1.44.6 or later on 1.44.x, or 1.45.4 or later on 1.45.x, per the fix versions stated in the CVE description. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41114
GHSA-9r5v-wvvq-6v9f