CVE-2025-53478

CVE-2025-53478: CheckUser: Reflected Cross-Site Scripting (XSS) in Special:Investigate via unsanitized i18n messages

Vendor Wikimedia Foundation
Product Mediawiki - CheckUser extension
Weakness CWE-79 · XSS
Published July 7, 2025
Last update July 7, 2025

CVSS base score

What the vulnerability does

01Description

The CheckUser extension’s Special:Investigate interface is vulnerable to reflected XSS due to improper escaping of certain internationalized system messages rendered on the “IPs and User agents” tab. This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Key dates

02Disclosure timeline

July 7, 2025 CVE published
July 7, 2025 Record updated