Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-61648— Stored XSS through system messages in CheckUser

EPSS 0.04% · P11
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-61648

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Stored XSS through system messages in CheckUser
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/ShowIPButton.Vue, modules/ext.CheckUser.TempAccounts/SpecialBlock.Js. This issue affects CheckUser: from * before 1.44.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wikimedia CheckUser 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wikimedia CheckUser是Wikimedia基金会的一个打击破坏行为的高级调查工具。 Wikimedia CheckUser 1.44.1之前版本存在安全漏洞,该漏洞源于输入中和不当,可能导致跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Wikimedia FoundationCheckUser * ~ 1.44.1 -

II. Public POCs for CVE-2025-61648

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-61648

登录查看更多情报信息。

Same Patch Batch · Wikimedia Foundation · 2026-02-03 · 26 CVEs total

CVE-2025-67476Importing leaks IP address of importer via EventStreams
CVE-2025-67483Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection leve
CVE-2025-67481mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does
CVE-2025-67484Action API xslt option allows JavaScript execution by administrators who are not interface
CVE-2025-67482Lua segfault in unpack()
CVE-2025-61655Stored XSS through system messages in VisualEditor
CVE-2025-61658Special:GlobalContributions shows edits on wikis the viewer doesn't have access to
CVE-2025-61656XSS when pasting into VE
CVE-2025-61651i18n XSS through Special:CheckUser CheckUser helper
CVE-2025-61654UserInfoCard: Do permission checking when getting counts of global and local edits, new ar
CVE-2025-61657Wikimedia Vector 安全漏洞
CVE-2025-61653Extension:TextExtracts does not check for authorizeRead when returning extracts
CVE-2025-61652Action API discussiontoolspageinfo does not check for authorizeRead for the page
CVE-2025-61647UserInfoCard: Don't allow access to information about users who are suppressed if you don'
CVE-2025-67477Stored XSS through a system message in Special:ApiSandbox
CVE-2025-67475Stored XSS through edit summaries in MW Core
CVE-2025-67480list=allrevisions can be used to bypass Extension:Lockdown
CVE-2025-67479Magic word replacement in legacy parser allows using reserved data attributes through wiki
CVE-2025-67478Wrong E-Mail address composition for usernames with a comma and Umlauts in it like "Döe, J
CVE-2025-61649UserInfoCard: Check that performing user has permission to view log entries for number of

Showing top 20 of 26 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: CheckUser
Same vendor: Wikimedia Foundation
Same weakness: CWE-79

V. Comments for CVE-2025-61648

No comments yet

Leave a comment