Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-61649— UserInfoCard: Check that performing user has permission to view log entries for number of past blocks

EPSS 0.09% · P25
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-61649

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
UserInfoCard: Check that performing user has permission to view log entries for number of past blocks
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from 7cedd58781d261f110651b6af4f41d2d11ae7309.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wikimedia CheckUser 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wikimedia CheckUser是Wikimedia基金会的一个打击破坏行为的高级调查工具。 Wikimedia CheckUser存在安全漏洞,该漏洞源于未检查当前操作用户是否实际拥有查看这些封禁日志条目的权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Wikimedia FoundationCheckUser 7cedd58781d261f110651b6af4f41d2d11ae7309 ~ * -

II. Public POCs for CVE-2025-61649

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-61649

登录查看更多情报信息。

Same Patch Batch · Wikimedia Foundation · 2026-02-03 · 26 CVEs total

CVE-2025-67476Importing leaks IP address of importer via EventStreams
CVE-2025-67483Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection leve
CVE-2025-67481mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does
CVE-2025-67484Action API xslt option allows JavaScript execution by administrators who are not interface
CVE-2025-67482Lua segfault in unpack()
CVE-2025-61655Stored XSS through system messages in VisualEditor
CVE-2025-61658Special:GlobalContributions shows edits on wikis the viewer doesn't have access to
CVE-2025-61656XSS when pasting into VE
CVE-2025-61651i18n XSS through Special:CheckUser CheckUser helper
CVE-2025-61654UserInfoCard: Do permission checking when getting counts of global and local edits, new ar
CVE-2025-61657Wikimedia Vector 安全漏洞
CVE-2025-61653Extension:TextExtracts does not check for authorizeRead when returning extracts
CVE-2025-61652Action API discussiontoolspageinfo does not check for authorizeRead for the page
CVE-2025-61647UserInfoCard: Don't allow access to information about users who are suppressed if you don'
CVE-2025-67477Stored XSS through a system message in Special:ApiSandbox
CVE-2025-67475Stored XSS through edit summaries in MW Core
CVE-2025-67480list=allrevisions can be used to bypass Extension:Lockdown
CVE-2025-67479Magic word replacement in legacy parser allows using reserved data attributes through wiki
CVE-2025-67478Wrong E-Mail address composition for usernames with a comma and Umlauts in it like "Döe, J
CVE-2025-61648Stored XSS through system messages in CheckUser

Showing top 20 of 26 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: CheckUser
Same vendor: Wikimedia Foundation

V. Comments for CVE-2025-61649

No comments yet

Leave a comment