{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-61642", "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "state": "PUBLISHED", "assignerShortName": "wikimedia-foundation", "dateReserved": "2025-09-29T13:18:37.248Z", "datePublished": "2026-02-02T23:36:42.550Z", "dateUpdated": "2026-02-03T21:16:42.867Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MediaWiki", "programFiles": ["includes/htmlform/CodexHTMLForm.php", "includes/htmlform/fields/HTMLButtonField.php"], "repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master", "vendor": "Wikimedia Foundation", "versions": [{"lessThan": "1.39.14, 1.43.4, 1.44.1", "status": "affected", "version": "*", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.<p> This vulnerability is associated with program files <tt>includes/htmlform/CodexHTMLForm.Php</tt>, <tt>includes/htmlform/fields/HTMLButtonField.Php</tt>.</p><p>This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php.\n\nThis issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 0, "baseSeverity": "NONE", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "shortName": "wikimedia-foundation", "dateUpdated": "2026-02-02T23:36:42.550Z"}, "references": [{"url": "https://phabricator.wikimedia.org/T402313"}], "source": {"discovery": "UNKNOWN"}, "title": "Stored XSS through system messages provided to CodexHtmlForms", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T21:16:31.056638Z", "id": "CVE-2025-61642", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T21:16:42.867Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php.\n\nThis issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1."}], "id": "CVE-2025-61642", "lastModified": "2026-02-03T16:44:03.343", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}, "published": "2026-02-03T00:16:10.140", "references": [{"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "url": "https://phabricator.wikimedia.org/T402313"}], "sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}

{"bugzilla": {"description": "MediaWiki: MediaWiki: Cross-site Scripting (XSS) vulnerability via improper input neutralization", "id": "2436104", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436104"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in MediaWiki. This improper neutralization of input during web page generation, also known as Cross-site Scripting (XSS), allows a remote attacker to inject malicious scripts into web pages viewed by other users. This can lead to information disclosure or other client-side attacks."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-61642", "public_date": "2026-02-02T23:36:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-61642\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-61642\nhttps://phabricator.wikimedia.org/T402313"], "statement": "This vulnerability involves a Stored Cross-site Scripting (XSS) flaw in MediaWiki, allowing an attacker to inject malicious scripts into system messages. When other users view these messages, the scripts could execute in their browsers. This issue affects MediaWiki versions prior to 1.39.14, 1.43.4, and 1.44.1. Red Hat products are not directly affected as MediaWiki is not a default component of Red Hat Enterprise Linux.", "threat_severity": "Moderate"}

{}