{
  "threat_severity" : "Important",
  "public_date" : "2026-02-02T23:00:57Z",
  "bugzilla" : {
    "description" : "MediaWiki: MediaWiki: Cross-site Scripting vulnerability via improper input neutralization",
    "id" : "2436122",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2436122"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-79",
  "details" : [ "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js.\nThis issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.", "A flaw was found in MediaWiki. This improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS), allows a remote attacker to inject malicious scripts into web pages. This can lead to information disclosure, session hijacking, or arbitrary code execution within the context of the user's browser." ],
  "statement" : "This Cross-site Scripting (XSS) vulnerability in MediaWiki's `Special:ApiSandbox` component requires user interaction for exploitation. The flaw affects MediaWiki versions from 1.27.0 before 1.39.13, 1.42.7 1.43.2, and 1.44.0. This issue primarily impacts deployments of MediaWiki within Community Projects, such as Fedora.",
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-6594\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-6594\nhttps://phabricator.wikimedia.org/T395063" ],
  "name" : "CVE-2025-6594",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}