ikiwiki CVE Vulnerabilities & Metrics

Focus on ikiwiki vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About ikiwiki Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with ikiwiki. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total ikiwiki CVEs: 10
Earliest CVE date: 19 Feb 2008, 01:00 UTC
Latest CVE date: 21 Nov 2019, 20:15 UTC

Latest CVE reference: CVE-2015-2793

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical ikiwiki CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.83

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	16
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS ikiwiki CVEs

These are the five CVEs with the highest CVSS scores for ikiwiki, sorted by severity first and recency.

CVE-2017-0356 ikiwiki Published on 13 Apr 2018, 15:29 UTC (CVSS: 7.5)
A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters.
CVE-2008-0169 ikiwiki Published on 03 Jun 2008, 15:32 UTC (CVSS: 6.8)
Plugin/passwordauth.pm (aka the passwordauth plugin) in ikiwiki 1.34 through 2.47 allows remote attackers to bypass authentication, and login to any account for which an OpenID identity is configured and a password is not configured, by specifying an empty password during the login sequence.
CVE-2011-1408 ikiwiki Published on 29 Oct 2019, 20:15 UTC (CVSS: 6.4)
ikiwiki before 3.20110608 allows remote attackers to hijack root's tty and run symlink attacks.
CVE-2019-9187 ikiwiki Published on 05 Jun 2019, 18:29 UTC (CVSS: 5.0)
ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190228 allows SSRF via the aggregate plugin. The impact also includes reading local files via file: URIs.
CVE-2016-9646 ikiwiki Published on 13 Apr 2018, 15:29 UTC (CVSS: 5.0)
ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata forgery.

All CVEs for ikiwiki

CVE-2015-2793 ikiwiki vulnerability CVSS: 4.3 21 Nov 2019, 20:15 UTC

Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 allows remote attackers to inject arbitrary web script or HTML via the openid_identifier parameter in a verify action to ikiwiki.cgi.

CVE-2010-1673 ikiwiki vulnerability CVSS: 4.3 30 Oct 2019, 23:15 UTC

A cross-site scripting (XSS) vulnerability in ikiwiki before 3.20101112 allows remote attackers to inject arbitrary web script or HTML via a comment.

CVE-2011-1408 ikiwiki vulnerability CVSS: 6.4 29 Oct 2019, 20:15 UTC

ikiwiki before 3.20110608 allows remote attackers to hijack root's tty and run symlink attacks.

CVE-2011-0428 ikiwiki vulnerability CVSS: 4.3 29 Oct 2019, 19:15 UTC

Cross Site Scripting (XSS) in ikiwiki before 3.20110122 could allow remote attackers to insert arbitrary JavaScript due to insufficient checking in comments.

CVE-2019-9187 ikiwiki vulnerability CVSS: 5.0 05 Jun 2019, 18:29 UTC

ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190228 allows SSRF via the aggregate plugin. The impact also includes reading local files via file: URIs.

CVE-2017-0356 ikiwiki vulnerability CVSS: 7.5 13 Apr 2018, 15:29 UTC

A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters.

CVE-2016-9646 ikiwiki vulnerability CVSS: 5.0 13 Apr 2018, 15:29 UTC

ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata forgery.

CVE-2016-9645 ikiwiki vulnerability CVSS: 4.0 10 Apr 2018, 22:29 UTC

The fix for ikiwiki for CVE-2016-10026 was incomplete resulting in editing restriction bypass for git revert when using git versions older than 2.8.0. This has been fixed in 3.20161229.

CVE-2016-10026 ikiwiki vulnerability CVSS: 5.0 13 Feb 2017, 18:59 UTC

ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made.

CVE-2016-4561 ikiwiki vulnerability CVSS: 4.3 10 May 2016, 19:59 UTC

Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message.

CVE-2012-0220 ikiwiki vulnerability CVSS: 4.3 29 May 2012, 20:55 UTC

Multiple cross-site scripting (XSS) vulnerabilities in the meta plugin (Plugin/meta.pm) in ikiwiki before 3.20120516 allow remote attackers to inject arbitrary web script or HTML via the (1) author or (2) authorurl meta tags.

CVE-2011-1401 ikiwiki vulnerability CVSS: 3.5 11 Apr 2011, 18:55 UTC

ikiwiki before 3.20110328 does not ascertain whether the htmlscrubber plugin is enabled during processing of the "meta stylesheet" directive, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences in (1) the default stylesheet or (2) an alternate stylesheet.

CVE-2010-1195 ikiwiki vulnerability CVSS: 4.3 31 Mar 2010, 18:00 UTC

Cross-site scripting (XSS) vulnerability in the htmlscrubber component in ikiwiki 2.x before 2.53.5 and 3.x before 3.20100312 allows remote attackers to inject arbitrary web script or HTML via a crafted data:image/svg+xml URI.

CVE-2009-2944 ikiwiki vulnerability CVSS: 5.0 31 Aug 2009, 20:30 UTC

Incomplete blacklist vulnerability in the teximg plugin in ikiwiki before 3.1415926 and 2.x before 2.53.4 allows context-dependent attackers to read arbitrary files via crafted TeX commands.

CVE-2008-0169 ikiwiki vulnerability CVSS: 6.8 03 Jun 2008, 15:32 UTC

Plugin/passwordauth.pm (aka the passwordauth plugin) in ikiwiki 1.34 through 2.47 allows remote attackers to bypass authentication, and login to any account for which an OpenID identity is configured and a password is not configured, by specifying an empty password during the login sequence.

CVE-2008-0165 ikiwiki vulnerability CVSS: 4.3 21 Apr 2008, 13:05 UTC

Cross-site request forgery (CSRF) vulnerability in Ikiwiki before 2.42 allows remote attackers to modify user preferences, including passwords, via the (1) preferences and (2) edit forms.

CVE-2008-0808 ikiwiki vulnerability CVSS: 4.3 19 Feb 2008, 01:00 UTC

Cross-site scripting (XSS) vulnerability in the meta plugin in Ikiwiki before 1.1.47 allows remote attackers to inject arbitrary web script or HTML via meta tags.

CVE-2008-0809 ikiwiki vulnerability CVSS: 4.3 19 Feb 2008, 01:00 UTC

Cross-site scripting (XSS) vulnerability in the htmlscrubber in Ikiwiki before 1.1.46 allows remote attackers to inject arbitrary web script or HTML via title contents.