Multiple flaws have been reported on mediawiki. 

T115333: API action=parse does not check-per title read permissions
= Flaw =
  MediaWiki does not properly respect results from extensions that deny
read access to certain pages via the userCan hook.
= Exploit =
  Users may gain inadvertent access to pages which extensions (such as
Lockdown) have been configured to disallow.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T115333

T129738: Blocked accounts on BlockDisablesLogin wikis aren't logged out
= Flaw =
  On wikis which have been configured with $wgBlockDisablesLogin set
true, blocked user sessions are not terminated at the time that the user
account is blocked.
= Exploit =
  Blocked users will continue to have access to the wiki for the
duration of their login session.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T129738

T133147: XSS via CSS user subpage preview feature
= Flaw =
  When previewing Special:Mypage/common.css, the contents are included
in an inline <style> tag. However, "</style>" is not properly escaped,
allowing arbitrary HTML.
= Exploit =
  An attacker may execute a reflected cross-site scripting attack
against non-authenticated users.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T133147

T137264: XSS in Parser::replaceInternalLinks2 during replacement of
percent encoding in unclosed internal links
= Flaw =
  MediaWiki does not properly process URL-encoded values when handling
unterminated internal links.
= Exploit =
  An attacker may submit content containing specially-crafted
unterminated links, leading to persistent cross-site scripting.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T137264

T139570: API action=parse&prop=headhtml leaks current user and their
tokens to third-party sites when used via JSONP
= Flaw =
  The result of a MediaWiki API call using JSONP reveals private user
data, including username and CSRF token.
= Exploit =
  An attacker may take advantage of the revealed information to
circumvent CSRF protection.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T139570

T132926: Admins can get around oversight (suppression) of file revisions
= Flaw =
  MediaWiki does not properly enforce access controls limiting
restoration of deleted or suppressed files.
= Exploit =
  Admins with insufficient permissions may restore deleted or suppressed
files.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T132926

T139670: Central auth global groups don't take session rights limit into
account
= Flaw =
  The UserGetRights runtime hook allowed extensions to grant permissions
that had previously been denied based on user session attributes.
= Exploit =
  Extensions using this hook may accidentally or maliciously add
permissions which had been explicitly disallowed.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
= Reference =
  https://phabricator.wikimedia.org/T139670