Description
Vulnerability in Wikimedia Foundation Scribunto.

This issue affects Scribunto: from 1.45.0 before 1.45.2.
Published: 2026-05-11
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a memory leak in Wikimedia Foundation's Scribunto extension that causes the PHP script runJobs.php to grow memory usage until exhaustion. The flaw is associated with CWE-79. The leaked memory can accumulate over time, eventually resulting in out-of-memory errors that halt the job queue and disrupt services.

Affected Systems

Scribunto versions from 1.45.0 up to, but not including, 1.45.2 are affected. Any deployment of these versions that processes jobs with runJobs.php is susceptible to the leak.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity denial-of-service risk. Exploitation requires local control over job submissions or triggering the job queue; no publicly available exploit has been reported, and the vulnerability is not listed in CISA KEV. Because it depends on the job queue running continuously, the risk is situational and may be mitigated by limiting concurrency or monitoring memory, but the fundamental flaw remains until the patch is applied.

Generated by OpenCVE AI on May 11, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Scribunto to version 1.45.2 or later, which removes the memory-leak flaw.
  • Restart the web services to reload the updated extension and clear any residual memory allocation.
  • Configure job queue concurrency limits or periodically restart runJobs.php to control memory usage while the upgrade is being applied.

Generated by OpenCVE AI on May 11, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://phabricator.wikimedia.org/T419168 cve-icon cve-icon
History

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CWE-79

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia scribunto
Vendors & Products Wikimedia
Wikimedia scribunto

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Vulnerability in Wikimedia Foundation Scribunto. This issue affects Scribunto: from 1.45.0 before 1.45.2.
Title Memory leak in Scribunto causes runJobs.php to run out of memory
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Wikimedia Scribunto
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-05-11T15:53:12.489Z

Reserved: 2026-03-25T17:15:46.521Z

Link: CVE-2026-34089

cve-icon Vulnrichment

Updated: 2026-05-11T15:52:52.780Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T16:17:30.293

Modified: 2026-05-12T14:45:49.820

Link: CVE-2026-34089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:30:16Z

Weaknesses