Nixpkgs Security Tracker

Untriaged

Permalink CVE-2025-67484

created 21 hours ago

Action API xslt option allows JavaScript execution by administrators who are not interface administrators

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki

<1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.0
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0
nixos-25.11 -
- nixos-25.11-small 1.44.2
- nixpkgs-25.11-darwin 1.44.2
nixos-25.05 1.43.5
- nixos-25.05-small 1.43.5
- nixpkgs-25.05-darwin 1.43.5

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@astro Astro <astro@spaceboyz.net>

Suggestion detail

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers