| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2025-61638 | Sanitizer::validateAttributes data-XSS | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:52:10 | Deep Dive |
| CVE-2025-61639 | Suppressed blocked IP is visible in Special:BlockList, RC, and other places | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:48:03 | Deep Dive |
| CVE-2025-61640 | Stored XSS through system messages in Special:RecentChangesLinked (MW Core) | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:42:04 | Deep Dive |
| CVE-2025-61641 | API list=allpages with maxsize is making really slow queries | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:39:39 | Deep Dive |
| CVE-2025-61642 | Stored XSS through system messages provided to CodexHtmlForms | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:36:43 | Deep Dive |
| CVE-2025-61643 | EventStreams publishes suppressed recent change entries that are suppressed from their creation | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:33:50 | Deep Dive |
| CVE-2025-61634 | HTML rest endpoint needs PoolCounter and proper parser cache check | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:28:54 | Deep Dive |
| CVE-2025-61635 | Add rate limiting to ApiFancyCaptchaReload | Wikimedia Foundation | ConfirmEdit | - | - | 2026-02-02 23:26:15 | Deep Dive |
| CVE-2025-61636 | Codex Special:Block vulnerable to message key XSS | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:23:27 | Deep Dive |
| CVE-2025-6589 | With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockList | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:03:46 | Deep Dive |
| CVE-2025-6590 | Complete content leak of private wikis due to PasswordReset Wikitext injection in error message | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:03:08 | Deep Dive |
| CVE-2025-6591 | HTML injection in API action=feedcontributions output from i18n message | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:02:34 | Deep Dive |
| CVE-2025-6592 | Creating a permanent account from a temporary account associates temp username and IP address with real username in AbuseLog | Wikimedia Foundation | AbuseFilter | - | - | 2026-02-02 23:02:13 | Deep Dive |
| CVE-2025-6593 | "{{SITENAME}} registered email address has been changed" email sent to unverified email addresses | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:01:29 | Deep Dive |
| CVE-2025-6594 | XSS in Special:ApiSandbox | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 23:00:58 | Deep Dive |
| CVE-2025-6595 | MediaWiki 安全漏洞 | Wikimedia Foundation | MultimediaViewer | - | - | 2026-02-02 22:59:43 | Deep Dive |
| CVE-2025-6596 | Vector inserts portlet labels as HTML, allowing for stored XSS through system messages | Wikimedia Foundation | Vector | - | - | 2026-02-02 22:58:21 | Deep Dive |
| CVE-2025-6597 | MediaWiki should not consider autocreation as login for the purposes of security reauthentication | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 22:57:30 | Deep Dive |
| CVE-2025-6927 | Autoblocks from global account suppressions are publicly visible | Wikimedia Foundation | MediaWiki | - | - | 2026-02-02 22:55:09 | Deep Dive |
| CVE-2025-11175 | DiscussionTools should use better regex | The Wikimedia Foundation | Mediawiki - DiscussionTools Extension | - | - | 2026-01-30 19:12:07 | Deep Dive |