CVE-2026-58025 PUBLISHED

Remote Code Execution via Unsafe Deserialization in LogItem Import

Assigner: wikimedia-foundation
Reserved: 27.06.2026 Published: 01.07.2026 Updated: 01.07.2026

Deserialization of untrusted data vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files includes/Import/WikiImporter.Php, includes/Import/WikiRevision.Php, includes/Logging/LogEntryBase.Php.

This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L
CVSS Score: 5.9

Product Status

Vendor Wikimedia Foundation
Product MediaWiki
Versions Default: unaffected
  • affected from * to 1.46.0, 1.45.4, 1.44.6, 1.43.9 (excl.)

References

Problem Types

  • CWE-502 Deserialization of untrusted data CWE
  • CWE-94 CWE