Cyber Posture

CVE-2026-26477

MediumPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0016 36.3th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26477 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Dokuwiki Dokuwiki. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 36.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match
prevent

SC-5 directly implements denial-of-service protections such as rate limiting and resource throttling to prevent resource exhaustion via the media_upload_xhr() function.

SC-6 Resource Availability good match
prevent

SC-6 enforces resource availability protections like quotas and allocation limits to mitigate uncontrolled consumption triggered by authenticated upload requests.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely flaw remediation, including patching DokuWiki to address the specific resource exhaustion vulnerability in media.php.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
attack.mitre.org →
Why these techniques?

The CVE describes a resource exhaustion flaw (CWE-400/770) in DokuWiki's media upload handler that an authenticated remote attacker can directly abuse to trigger application-level denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file

Deeper analysisAI

CVE-2026-26477 is a denial-of-service vulnerability affecting DokuWiki version 2025-05-14b "Librarian" (release 56.2). The flaw exists in the media_upload_xhr() function within the media.php file, where a remote attacker can trigger resource exhaustion. It is rated with a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) and is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption). The vulnerability was published on 2026-04-03.

Exploitation requires low privileges, such as those of an authenticated user (PR:L), and can be performed remotely over the network with low complexity and no user interaction. A successful attack disrupts availability by causing a denial of service, such as through excessive resource consumption, but does not compromise confidentiality or integrity.

Advisories and release information are available at https://github.com/Hebing123/cve/issues/94 and https://github.com/dokuwiki/dokuwiki/releases/tag/release-2025-05-14b.

Details

CWE(s)
CWE-770CWE-400

Affected Products

dokuwiki
dokuwiki
2025-05-14b

CVEs Like This One

CVE-2026-28342Shared CWE-400, CWE-770
CVE-2026-36958Shared CWE-400
CVE-2024-12537Shared CWE-770
CVE-2025-21545Shared CWE-400
CVE-2026-40481Shared CWE-400
CVE-2026-32980Shared CWE-770
CVE-2025-27513Shared CWE-770
CVE-2025-52636Shared CWE-400
CVE-2026-33871Shared CWE-770
CVE-2026-4726Shared CWE-400

References