Debian LTS Advisory DLA-4249-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin July 23, 2025 https://wiki.debian.org/LTS Package : mediawiki Version : 1:1.35.13-1+deb11u4 CVE ID : CVE-2025-3469 CVE-2025-6590 CVE-2025-6591 CVE-2025-6593 CVE-2025-6594 CVE-2025-6595 CVE-2025-6597 CVE-2025-6926 CVE-2025-32072 CVE-2025-32696 CVE-2025-32698 CVE-2025-32699 Multiple security vulnerabilities were found in mediawiki, a website engine for collaborative work, that could lead to information disclosure or privilege escalation. CVE-2025-3469 User input was not properly sanitized during web page generation, which could lead to information disclosure or privilege escalation via Cross-site Scripting. CVE-2025-6590 User input was not sanitized in the password reset form, which could lead to information disclosure for private pages via transclusion. CVE-2025-6591 HTML injection in API `action=feedcontributions` output from i18n messages. CVE-2025-6593 "{{SITENAME}} registered email address has been changed" email was sent to unverified email addresses, which could lead to information disclosure. CVE-2025-6594 XSS in Special:ApiSandbox. While the known issue is not exploitable in ≤1.39, the backported changes provide some security hardening just in case. CVE-2025-6595 Stored XSS through system messages in MultimediaViewer. …Read More