Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-67478— Wrong E-Mail address composition for usernames with a comma and Umlauts in it like "Döe, Jähn"

EPSS 0.02% · P6
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-67478

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Wrong E-Mail address composition for usernames with a comma and Umlauts in it like "Döe, Jähn"
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wikimedia CheckUser 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wikimedia CheckUser是Wikimedia基金会的一个打击破坏行为的高级调查工具。 Wikimedia CheckUser 1.39.14之前版本、1.43.4之前版本和1.44.1之前版本存在安全漏洞,该漏洞源于includes/Mail/UserMailer.Php文件存在缺陷。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Wikimedia FoundationCheckUser * ~ 1.39.14, 1.43.4, 1.44.1 -

II. Public POCs for CVE-2025-67478

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-67478

登录查看更多情报信息。

Same Patch Batch · Wikimedia Foundation · 2026-02-03 · 26 CVEs total

CVE-2025-67476Importing leaks IP address of importer via EventStreams
CVE-2025-67483Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection leve
CVE-2025-67481mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does
CVE-2025-67484Action API xslt option allows JavaScript execution by administrators who are not interface
CVE-2025-67482Lua segfault in unpack()
CVE-2025-61655Stored XSS through system messages in VisualEditor
CVE-2025-61658Special:GlobalContributions shows edits on wikis the viewer doesn't have access to
CVE-2025-61656XSS when pasting into VE
CVE-2025-61651i18n XSS through Special:CheckUser CheckUser helper
CVE-2025-61654UserInfoCard: Do permission checking when getting counts of global and local edits, new ar
CVE-2025-61657Wikimedia Vector 安全漏洞
CVE-2025-61653Extension:TextExtracts does not check for authorizeRead when returning extracts
CVE-2025-61652Action API discussiontoolspageinfo does not check for authorizeRead for the page
CVE-2025-61647UserInfoCard: Don't allow access to information about users who are suppressed if you don'
CVE-2025-67477Stored XSS through a system message in Special:ApiSandbox
CVE-2025-67475Stored XSS through edit summaries in MW Core
CVE-2025-67480list=allrevisions can be used to bypass Extension:Lockdown
CVE-2025-67479Magic word replacement in legacy parser allows using reserved data attributes through wiki
CVE-2025-61649UserInfoCard: Check that performing user has permission to view log entries for number of
CVE-2025-61648Stored XSS through system messages in CheckUser

Showing top 20 of 26 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: CheckUser
Same vendor: Wikimedia Foundation

V. Comments for CVE-2025-67478

No comments yet

Leave a comment