vulnerability
MediaWiki: Exposure of Sensitive Information to an Unauthorized Actor (CVE-2016-6335)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Apr 20, 2017 | Aug 24, 2017 | Apr 7, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Apr 20, 2017
Added
Aug 24, 2017
Modified
Apr 7, 2026
Description
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php.
Solution
mediawiki-upgrade-latest
References
- CVE-2016-6335
- https://attackerkb.com/topics/CVE-2016-6335
- CWE-200
- EUVD-EUVD-2016-7262
- https://bugzilla.redhat.com/show_bug.cgi?id=1369613
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2016-7262
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html
- https://phabricator.wikimedia.org/T139565
- https://phabricator.wikimedia.org/T139570
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.