CVE-2025-53480
CheckUser: Reflected Cross-Site Scripting (XSS) in Special:Investigate (Account information tab) via unsanitized i18n messages
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
CheckUser: Reflected Cross-Site Scripting (XSS) in Special:Investigate (Account information tab) via unsanitized i18n messages
The CheckUser extension’s Special:Investigate page has a vulnerability in the Account information tab, where specific internationalized messages are rendered without proper escaping. Attackers can exploit this by appending ?uselang=x-xss to the URL, causing reflected XSS when the UI renders affected message keys. This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Reserved 2025-06-30 | Published 2025-07-08 | Updated 2025-07-08 | Assigner wikimedia-foundationCWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
phabricator.wikimedia.org/T394700
gerrit.wikimedia.org/...c55fef15c3b00df0db268af2b64cb2d6e381
Support options
