Security

This page documents information related to MediaWiki security.

Report a security problem
If you have found or believe you have found a security bug in MediaWiki or on one of Wikimedia's web sites, please directly e-mail security&#64;wikimedia.org with details.
 * Emailing the details to that address ensures that the issue is dealt with quickly and with the best outcome for our third-party users. Please do not report the issue directly in Phabricator UNLESS you set the "Security" dropdown to "Security or Sensitive Bug" in the "Create New Task" dialog, which ensures the bug report is not publicly readable.
 * See Reporting security bugs for more information about the process.

We would be most happy to have a day or two to fix the problem and prepare a bug fix for third-party users before public disclosure, if possible.

(Note that any security problems found in the wiki-to-HTML parser will be included in the parser regression test suite in the next release.)

Receive release notifications
You may subscribe to the low-traffic mediawiki-announce mailing list to receive notifications of new MediaWiki releases by e-mail.

This will include all security fix releases as well as other new versions. Anyone running a MediaWiki installation is strongly recommended to subscribe.