PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34095 Phabricator CVE debrief

CVE-2026-34095 is a MediaWiki vulnerability disclosed on 2026-05-11 and updated on 2026-05-14. The supplied advisory maps it to CWE-668 (Exposure of Resource to Wrong Sphere) and references includes/Actions/ActionEntryPoint.php and includes/Request/FauxResponse.php, but it does not provide exploit mechanics or a user-facing attack scenario. The affected ranges are MediaWiki versions before 1.43.7, 1.44.4, and 1.45.2. Given the CVSS 4.0 vector requires high privileges and shows no direct confidentiality, integrity, or availability impact, this reads as a privileged boundary / access-control concern that should be patched on a normal maintenance cycle, with faster action if your MediaWiki deployment has broad or loosely controlled administrative access.

Vendor
Phabricator
Product
Unknown
CVSS
LOW 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-11
Original CVE updated
2026-05-14
Advisory published
2026-05-11
Advisory updated
2026-05-14

Who should care

MediaWiki administrators, Wikimedia Foundation deployers, package maintainers, and security teams responsible for wiki platforms or custom MediaWiki extensions/integrations.

Technical summary

The supplied source corpus identifies a MediaWiki issue associated with ActionEntryPoint.php and FauxResponse.php and classifies it as CWE-668. The advisory indicates affected versions are all MediaWiki releases before 1.43.7, 1.44.4, and 1.45.2. The provided CVSS vector (AV:N/AC:L/AT:N/PR:H/UI:N with no direct C/I/A impact) suggests exploitation requires elevated privileges rather than unauthenticated remote access. No further technical details, proof-of-concept, or remediation steps are included in the source corpus beyond upgrading to a fixed release.

Defensive priority

Medium-low priority for most environments: schedule patching in the next maintenance window. Raise priority if the instance is internet-exposed, admin access is broad, or privileged users are not tightly controlled.

Recommended defensive actions

  • Upgrade MediaWiki to 1.43.7, 1.44.4, or 1.45.2, or later fixed releases.
  • Verify which MediaWiki instances in your environment are running versions earlier than the fixed releases.
  • Review who has privileged access to MediaWiki administration and reduce unnecessary high-privilege accounts.
  • Check custom extensions or integrations that interact with ActionEntryPoint.php or request/response handling for compatibility after upgrade.
  • Track the upstream Phabricator ticket and vendor advisories for any follow-up clarification or patch notes.

Evidence notes

This debrief is limited to the supplied GitHub Advisory Database entry, the referenced Phabricator ticket, and the NVD/CVE record links. The advisory is marked unreviewed and does not include exploit details, a severity breakdown beyond CVSS, or a confirmed impact narrative. Vendor attribution in the provided metadata is low-confidence and should be treated as source metadata rather than a verified product identity.

Official resources

Public advisory data was published at 2026-05-11T18:31:45Z and modified at 2026-05-14T00:32:58Z. No KEV entry or ransomware linkage is present in the supplied corpus.