CVE-2026-0669
Published: 07 January 2026
Summary
CVE-2026-0669 is a high-severity Path Traversal (CWE-22) vulnerability in Mediawiki Mediawiki. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0669 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the CSS extension for Wikimedia Foundation's MediaWiki. The issue affects versions 1.44, 1.43, and 1.39 of the MediaWiki CSS extension and was published on 2026-01-07.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), meaning it is exploitable remotely over the network by unauthenticated attackers (PR:N) with low attack complexity and no user interaction. Attackers can traverse path restrictions to access files outside intended directories, resulting in high confidentiality impact through unauthorized data disclosure, while integrity and availability remain unaffected.
Advisories and patches are detailed in the Gerrit change at https://gerrit.wikimedia.org/r/q/Ia15bf3f2e5a341868568492a736ac3dbf706c22e and the Phabricator task at https://phabricator.wikimedia.org/T401526.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1175
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wikimedia Foundation MediaWiki - CSS extension allows Path Traversal.This issue affects MediaWiki - CSS extension: 1.44, 1.43, 1.39.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing MediaWiki extension enables remote unauthenticated file read (T1190 initial access + T1005 local data disclosure).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the path traversal flaw in MediaWiki CSS extension versions 1.44, 1.43, and 1.39 by identifying, reporting, and applying available patches.
Requires validation of pathnames and file inputs to ensure they remain within restricted directories, preventing traversal attacks.
Enforces logical access controls on system resources, blocking unauthorized file reads resulting from path traversal exploitation.