I would like to announce the release of MediaWiki 1.43.7, 1.44.4 and 1.45.2!
These releases serve as security and maintenance releases for these branches.
They ended up a little later than expected in the day, due a last minute addition of the fix to Echo in T420154.
The tarballs have already been uploaded as of this email, and the git tags will be pushed shortly.
A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.
Reports of bugs with PHP 8.0 to 8.5 support are particularly welcome, and fixes will be back-ported when possible. If you find issues that haven't been backported, please report these too, referring to the relevant supported release.
PHP 8.x workboards: * https://phabricator.wikimedia.org/tag/php_8.0_support/ * https://phabricator.wikimedia.org/tag/php_8.1_support/ * https://phabricator.wikimedia.org/tag/php_8.2_support/ * https://phabricator.wikimedia.org/tag/php_8.3_support/ * https://phabricator.wikimedia.org/tag/php_8.4_support/ * https://phabricator.wikimedia.org/tag/php_8.5_support/
As a reminder, MediaWiki 1.39 became EOL in December 2025 and MediaWiki 1.42 became EOL in June 2025.
== Security fixes ==
* (T384147, CVE-2026-34092) SECURITY: Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP. * (T410429, CVE-2026-34088) SECURITY: RecentChanges entries expose suppressed content via generated log page html. * (T411305, CVE-2026-34091) SECURITY: User localization leaked by AbuseFilter + EventStream. * (T411366, CVE-2026-34090) SECURITY: Suggested investigations: Handle suppressed usernames. * (T412061, CVE-2026-34087) SECURITY: Users API leaks whether privileged users have their user groups disabled for lack of 2FA. * (T414547, CVE-2026-34093) SECURITY: Special:UserRights allows viewing user rights from private wiki. * (T415584, CVE-2026-34086) SECURITY: AbuseFilter misuses ::userCanBitfield, exposing access-controlled information. * (T416090, CVE-2026-34094) SECURITY: Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix. * (T419168, CVE-2026-34089) SECURITY: Memory leak in Scribunto causes runJobs.php to run out of memory. * (T419192, CVE-2026-34095) SECURITY: action=raw with Special:Mypage subpage title responds with "Content-Type) SECURITY: text/html" on ctype=text/javascript request. * (T420154, CVE-2026-5266) SECURITY: Notifications (Echo) API can be used by any OAuth tool.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T384147 * https://phabricator.wikimedia.org/T410429 * https://phabricator.wikimedia.org/T411305 * https://phabricator.wikimedia.org/T411366 * https://phabricator.wikimedia.org/T412061 * https://phabricator.wikimedia.org/T414547 * https://phabricator.wikimedia.org/T415584 * https://phabricator.wikimedia.org/T416090 * https://phabricator.wikimedia.org/T419168 * https://phabricator.wikimedia.org/T419192 * https://phabricator.wikimedia.org/T420154
== Release notes ==
Full release notes for 1.43.7: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.43
Full release notes for 1.44.4: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_44/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.44
Full release notes for 1.45.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_45/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.45
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.zip
Patch to previous version (1.43.6): https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.tar.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.tar.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.zip
Patch to previous version (1.44.3): https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.zip.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.zip.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.tar.gz https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.tar.gz https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.zip
Patch to previous version (1.45.1): https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.gz https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.zip.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.zip.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
mediawiki-announce@lists.wikimedia.org
