Description
Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS.
This issue was remediated only on the `master` branch.
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The ReportIncident Extension contains a flaw that allows unbounded allocation of server resources, leading to a denial‑of‑service condition. This uncontrolled memory consumption is identified as CWE‑770.

Affected Systems

Vulnerable versions of the MediaWiki ReportIncident Extension distributed by the Wikimedia Foundation prior to the latest master branch patch are affected. The patch is only available on the master branch, meaning older stable releases remain at risk.

Risk and Exploitability

The CVSS score of 5.3 rates the vulnerability as moderate while the EPSS score of less than 1 % indicates a low likelihood of exploitation. Based on the description, the likely attack vector involves sending repeated HTTP requests to the ReportIncident endpoints, exhausting server resources. The vulnerability is not listed in the CISA KEV catalog and no public exploits are known, but the absence of throttling presents a clear path for a determined attacker to disrupt service.

Generated by OpenCVE AI on April 8, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ReportIncident Extension to the latest patched version from the master branch.
  • If an immediate update is not possible, consider disabling or removing the faulty integration from the extension.
  • Implement rate‑limiting or request throttling on the ReportIncident endpoints to mitigate DoS risk.
  • Monitor web traffic for unusually high request rates and enforce IP blocking or temporary shutdowns if necessary.

Generated by OpenCVE AI on April 8, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki-reportincident Extension
Vendors & Products Wikimedia
Wikimedia mediawiki-reportincident Extension

Wed, 08 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS.This issue affects MediaWiki - ReportIncident Extension: 1.43.7, 1.44.4, 1.45.2. Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS. This issue was remediated only on the `master` branch.
References

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS.This issue affects MediaWiki - ReportIncident Extension: 1.43.7, 1.44.4, 1.45.2.
Title ReportIncident DiscussionTools integration causes slow requests
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L'}

Subscriptions

Wikimedia Mediawiki-reportincident Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-04-08T19:12:52.328Z

Reserved: 2026-04-07T18:21:15.769Z

Link: CVE-2026-5762

cve-icon Vulnrichment

Updated: 2026-04-07T20:40:23.853Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T19:16:48.347

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-5762

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:28:42Z

Weaknesses