{"id":"CVE-2016-6334","details":"Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links.","modified":"2026-05-18T12:49:38.635689Z","published":"2017-04-20T17:59:00.663Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/98057"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1369613"},{"type":"FIX","url":"https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html"},{"type":"FIX","url":"https://phabricator.wikimedia.org/T137264"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wikimedia/mediawiki","events":[{"introduced":"0"},{"last_affected":"1b1588f892b81983d5cd93bea6f5b5d652b2cdf5"},{"last_affected":"365e22ee61035f953b47387af92ef832f09d5982"},{"last_affected":"905d088b12375958099346a922d4f0ccc1db12ca"},{"last_affected":"f465524fc4840fb5c8b97e9ee6ffaf2a30c2e644"},{"last_affected":"fa11b598b4e396f606c2ffe8a4929c24e0f8cf46"},{"last_affected":"2e3e7395f1f290fff646510233bf6386fcf01a5d"},{"last_affected":"758cd9d2371d529450448cdf7eb2f1f6e099cfee"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.23.14"},{"last_affected":"1.26.0"},{"last_affected":"1.26.1"},{"last_affected":"1.26.2"},{"last_affected":"1.26.3"},{"last_affected":"1.26.4"},{"last_affected":"1.27.0"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.0:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.1:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.2:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.3:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.4:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.27.0:*:*:*:*:*:*:*"]}}],"versions":["REL1_26","1.26.4","1.23.14","1.27.0","1.27.0-rc.1","1.27.0-rc.0","1.26.3","1.23.13","1.26.2","1.23.12","1.26.1","1.23.11","1.26.0","1.23.10","1.23.9","1.23.8","1.23.7","1.23.6","1.23.5","1.23.4","1.23.3","1.23.2","1.23.1","1.23.0","1.23.0-rc.3","1.23.0-rc.2","1.23.0-rc.1","1.23.0rc0","1.6.0","1.5.0beta4","1.5.0beta3","1.5.0beta2","1.5.0beta1","1.5.0alpha2","1.5.0alpha1","1.3.0beta1","1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-6334.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}