CVE-2021-30159

medium

Published — · Modified —

CVSS v3

—

CVSS v2

—

VIR risk

5.5

Description

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-30159

OS impact

OS	Version	Status	Fixed in
arch		fixed	`1.35.2-1`
debian	bookworm	fixed	`1:1.35.2-1`
debian	bullseye	fixed	`1:1.35.2-1`
debian	forky	fixed	`1:1.35.2-1`
debian	sid	fixed	`1:1.35.2-1`
debian	trixie	fixed	`1:1.35.2-1`

References

https://security-tracker.debian.org/tracker/CVE-2021-30159

Verify integrity in audit chain (admin only). AS-IS.