Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-6593

Summary
Assigner-wikimedia-foundation
Assigner Org ID-c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
Published At-02 Feb, 2026 | 23:01
Updated At-04 Feb, 2026 | 14:45
Rejected At-
Credits

"{{SITENAME}} registered email address has been changed" email sent to unverified email addresses

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:wikimedia-foundation
Assigner Org ID:c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
Published At:02 Feb, 2026 | 23:01
Updated At:04 Feb, 2026 | 14:45
Rejected At:
▼CVE Numbering Authority (CNA)
"{{SITENAME}} registered email address has been changed" email sent to unverified email addresses

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Affected Products
Vendor
Wikimedia FoundationWikimedia Foundation
Product
MediaWiki
Repo
https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master
Program Files
  • includes/user/User.php
Default Status
unaffected
Versions
Affected
  • From 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0 (semver)
Metrics
VersionBase scoreBase severityVector
4.02.1LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://phabricator.wikimedia.org/T396230
N/A
Hyperlink: https://phabricator.wikimedia.org/T396230
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-200CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-200
Description: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
Published At:02 Feb, 2026 | 23:16
Updated At:04 Feb, 2026 | 15:16

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.1LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-200Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-200
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://phabricator.wikimedia.org/T396230c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
N/A
Hyperlink: https://phabricator.wikimedia.org/T396230
Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2025-6590
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-4.6||MEDIUM
EPSS-0.01% / 1.79%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 23:03
Updated-03 Feb, 2026 | 21:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Complete content leak of private wikis due to PasswordReset Wikitext injection in error message

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-61639
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-1.7||LOW
EPSS-0.07% / 21.13%
||
7 Day CHG+0.02%
Published-02 Feb, 2026 | 23:48
Updated-03 Feb, 2026 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Suppressed blocked IP is visible in Special:BlockList, RC, and other places

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2013-6455
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 59.47%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 14:54
Updated-06 Aug, 2024 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-32700
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-2.3||LOW
EPSS-0.48% / 64.52%
||
7 Day CHG~0.00%
Published-10 Apr, 2025 | 18:31
Updated-11 Apr, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AbuseFilter log interfaces expose global private and hidden filters when central DB is not available

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php. This issue affects AbuseFilter: from >= 1.43.0 before 1.43.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-23073
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-3.5||LOW
EPSS-0.08% / 22.91%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 18:45
Updated-16 Oct, 2025 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameter

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. This issue briefly impacted the master branch of MediaWiki’s GlobalBlocking Extension.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - GlobalBlocking Extension
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2025-23074
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-2.4||LOW
EPSS-0.09% / 25.50%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 18:58
Updated-31 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed)

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - SocialProfile Extension allows Functionality Misuse.This issue affects Mediawiki - SocialProfile Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Action-Not Available
Vendor-Wikimedia Foundation
Product-Mediawiki - SocialProfile Extension
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-32698
Matching Score-6
Assigner-The Wikimedia Foundation
ShareView Details
Matching Score-6
Assigner-The Wikimedia Foundation
CVSS Score-2.1||LOW
EPSS-0.48% / 64.52%
||
7 Day CHG~0.00%
Published-10 Apr, 2025 | 18:29
Updated-03 Nov, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.

Action-Not Available
Vendor-Wikimedia Foundation
Product-MediaWiki
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Details not found