Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-67482— Lua segfault in unpack()

EPSS 0.02% · P6
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-67482

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Lua segfault in unpack()
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wikimedia Scribunto 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wikimedia Scribunto是Wikimedia基金会的一个脚本开发工具。 Wikimedia Scribunto和luasandbox存在安全漏洞,该漏洞源于includes/Engines/LuaCommon/lualib/mwInit.Lua和library.C文件存在缺陷。以下产品及版本受到影响:Scribunto 1.39.16之前版本、1.43.6之前版本、1.44.3之前版本、1.45.1之前版本和luasandbox fea2304f8f6ab30314369a612f4f5b1
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Wikimedia FoundationScribunto * ~ 1.39.16, 1.43.6, 1.44.3, 1.45.1 -
Wikimedia Foundationluasandbox * ~ fea2304f8f6ab30314369a612f4f5b165e68e95a -

II. Public POCs for CVE-2025-67482

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-67482

登录查看更多情报信息。

Same Patch Batch · Wikimedia Foundation · 2026-02-03 · 26 CVEs total

CVE-2025-67477Stored XSS through a system message in Special:ApiSandbox
CVE-2025-67483Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection leve
CVE-2025-67481mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does
CVE-2025-67484Action API xslt option allows JavaScript execution by administrators who are not interface
CVE-2025-61655Stored XSS through system messages in VisualEditor
CVE-2025-61658Special:GlobalContributions shows edits on wikis the viewer doesn't have access to
CVE-2025-61656XSS when pasting into VE
CVE-2025-61651i18n XSS through Special:CheckUser CheckUser helper
CVE-2025-61654UserInfoCard: Do permission checking when getting counts of global and local edits, new ar
CVE-2025-61657Wikimedia Vector 安全漏洞
CVE-2025-61653Extension:TextExtracts does not check for authorizeRead when returning extracts
CVE-2025-61652Action API discussiontoolspageinfo does not check for authorizeRead for the page
CVE-2025-67476Importing leaks IP address of importer via EventStreams
CVE-2025-61647UserInfoCard: Don't allow access to information about users who are suppressed if you don'
CVE-2025-67475Stored XSS through edit summaries in MW Core
CVE-2025-67480list=allrevisions can be used to bypass Extension:Lockdown
CVE-2025-67479Magic word replacement in legacy parser allows using reserved data attributes through wiki
CVE-2025-67478Wrong E-Mail address composition for usernames with a comma and Umlauts in it like "Döe, J
CVE-2025-61649UserInfoCard: Check that performing user has permission to view log entries for number of
CVE-2025-61648Stored XSS through system messages in CheckUser

Showing top 20 of 26 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Scribunto
Same vendor: Wikimedia Foundation

V. Comments for CVE-2025-67482

No comments yet

Leave a comment