CVE-2026-0668 - Vulnerability Details

- VisualData extension: Regular Expression Denial of Service (ReDoS) via crafted user input

Description

Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.

Published: 2026-01-07

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The VisualData Extension for MediaWiki contains an inefficient regular expression that can trigger exponential blowup when processing crafted input. This flaw, identified as CWE‑1333, allows an attacker to supply a specially structured string that causes the server to consume excessive CPU resources, leading to a denial‑of‑service condition for the entire MediaWiki application.

Affected Systems

The vulnerability affects Wikimedia Foundation’s MediaWiki VisualData Extension, version 1.45.0. Any installation running this extension—and potentially any higher versions that have not applied the fix—could be compromised. The affected CPE identifiers include mediawiki:mediawiki:1.45.0 and wikisphere:visualdata:mediawiki.

Risk and Exploitability

The CVSS v3.1 base score is 5.3, indicating a moderate severity. The EPSS rating is less than 1 %, suggesting that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Since the flaw is triggered by crafted user input, the likely attack vector is remote via HTTP requests that include malicious content parsed by the extension. An attacker could target a publicly exposed MediaWiki instance, causing a denial‑of‑service that impacts availability for all users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Wikimedia Foundation

MediaWiki - VisualData Extension

unaffected

Version	Status	Constraints
`1.45`	affected	—

Configuration 1 [-]

AND

cpe:2.3:a:wikisphere:visualdata:-:*:*:*:*:mediawiki:*:*

cpe:2.3:a:mediawiki:mediawiki:1.45.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Mediawiki	Mediawiki	—	—
Wikimedia	Mediawiki-visualdata Extension	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the VisualData Extension to the latest version that resolves the regular expression issue.
Sanitize or validate any user input that is processed by the extension to ensure that regular expression patterns are not excessively complex or unbounded.
Deploy a web application firewall or rate‑limit resource usage to detect and block repetitive heavy requests that could indicate a ReDoS attempt.

Generated by OpenCVE AI on April 18, 2026 at 08:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00075.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://gerrit.wikimedia.org/r/q/I4ff2737c9f0ba805267d1fc8296e7cff61241ee3
https://gerrit.wikimedia.org/r/q/I893a9fca694a2613e29e149dea2d76d7f06063e5
https://gerrit.wikimedia.org/r/q/Ie08d9a8ceb2c9a22a635cfc27964353f14072dbf
https://gerrit.wikimedia.org/r/q/Ifbf9c2ade621226e14fe852f3217293772bf8bb8
https://nvd.nist.gov/vuln/detail/CVE-2026-0668
https://phabricator.wikimedia.org/T387008
https://www.cve.org/CVERecord?id=CVE-2026-0668

History

Tue, 24 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wikisphere Wikisphere visualdata
CPEs		cpe:2.3:a:mediawiki:mediawiki:1.45.0:::::::* cpe:2.3:a:wikisphere:visualdata:-:::::mediawiki::
Vendors & Products		Wikisphere Wikisphere visualdata

Thu, 08 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mediawiki Mediawiki mediawiki Wikimedia Wikimedia mediawiki-visualdata Extension
Vendors & Products		Mediawiki Mediawiki mediawiki Wikimedia Wikimedia mediawiki-visualdata Extension

Thu, 08 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-0668 https://www.cve.org/CVERecord?id=CVE-2026-0668
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 07 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.
Title		VisualData extension: Regular Expression Denial of Service (ReDoS) via crafted user input
Weaknesses		CWE-1333
References		https://gerrit.wikimedia.org/r/q/I4ff2737c9f0ba805267d1fc8296e7cff61241ee3 https://gerrit.wikimedia.org/r/q/I893a9fca694a2613e29e149dea2d76d7f06063e5 https://gerrit.wikimedia.org/r/q/Ie08d9a8ceb2c9a22a635cfc27964353f14072dbf https://gerrit.wikimedia.org/r/q/Ifbf9c2ade621226e14fe852f3217293772bf8bb8 https://phabricator.wikimedia.org/T387008

Subscriptions

Mediawiki Mediawiki

Wikimedia Mediawiki-visualdata Extension

Wikisphere Visualdata

MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published: 2026-01-07T17:36:19.258Z

Updated: 2026-01-07T19:17:41.764Z

Reserved: 2026-01-07T16:34:59.342Z

Link: CVE-2026-0668

Vulnrichment

Updated: 2026-01-07T19:17:16.412Z

NVD

Status : Analyzed

Published: 2026-01-07T18:15:52.873

Modified: 2026-02-24T18:32:21.493

Link: CVE-2026-0668

Redhat

Severity : Moderate

Publid Date: 2026-01-07T17:36:19Z

Links: CVE-2026-0668 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses

CWE-1333

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object