CVE-2025-53479
CheckUser: Reflected Cross-Site Scripting (XSS) in Special:CheckUser via unsanitized internationalized message
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
CheckUser: Reflected Cross-Site Scripting (XSS) in Special:CheckUser via unsanitized internationalized message
The CheckUser extension’s Special:CheckUser interface is vulnerable to reflected XSS via the rev-deleted-user message. This message is rendered without proper escaping, making it possible to inject JavaScript through the uselang=x-xss language override mechanism. This issue affects Mediawiki - CheckUser extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Reserved 2025-06-30 | Published 2025-07-08 | Updated 2025-07-10 | Assigner wikimedia-foundationCWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
phabricator.wikimedia.org/T394693
gerrit.wikimedia.org/...14543912cb3bc7f4a00c3090c0285b154786
Support options
