CVE-2025-67479 Magic word replacement in legacy parser allows using reserved data attributes through wikitext

🗓️ 03 Feb 2026 01:12:21Reported by wikimedia-foundationType

CVE-2025-67479: Legacy parser magic word allows reserved data attributes via wikitext on MediaWiki and Cite.

Reporter	Title	Published	Views	Family All 24
ATTACKERKB	CVE-2025-67479	3 Feb 202601:12	–	attackerkb
CNNVD	Wikimedia MediaWiki 安全漏洞	3 Feb 202600:00	–	cnnvd
CVE	CVE-2025-67479	3 Feb 202601:12	–	cve
Debian	[SECURITY] [DLA 4428-1] mediawiki security update	30 Dec 202515:55	–	debian
Debian	[SECURITY] [DSA 6085-1] mediawiki security update	19 Dec 202519:30	–	debian
Debian CVE	CVE-2025-67479	3 Feb 202601:12	–	debiancve
Tenable Nessus	Debian dla-4428 : mediawiki - security update	30 Dec 202500:00	–	nessus
Tenable Nessus	Debian dsa-6085 : mediawiki - security update	19 Dec 202500:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2025-67479	12 Dec 202500:00	–	nessus
EUVD	EUVD-2025-206754	3 Feb 202601:12	–	euvd

[
  {
    "defaultStatus": "unaffected",
    "product": "MediaWiki",
    "programFiles": [
      "includes/Parser/CoreParserFunctions.php",
      "includes/Parser/Sanitizer.php"
    ],
    "repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
    "vendor": "Wikimedia Foundation",
    "versions": [
      {
        "lessThan": "1.39.14, 1.43.4, 1.44.1",
        "status": "affected",
        "version": "*",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Cite",
    "repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/Cite/+/refs/heads/master",
    "vendor": "Wikimedia Foundation",
    "versions": [
      {
        "lessThan": "1.39.14, 1.43.4, 1.44.1",
        "status": "affected",
        "version": "*",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
phabricator	www.phabricator.wikimedia.org/T407131

03 Feb 2026 01:12Current

CVSS 40

EPSS0.0027