Cross-Site Scripting Vulnerability in Wikimedia Foundation MediaWiki and Parsoid
CVE-2025-61638

NONE

Key Information:

Vendor

Wikimedia Foundation

Status
Mediawiki
Parsoid
Vendor
CVE Published:
2 February 2026

What is CVE-2025-61638?

An improper neutralization of input during web page generation vulnerability has been identified in Wikimedia Foundation's MediaWiki and Parsoid. An attacker could exploit this flaw to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or site defacement. Affected versions of MediaWiki include those prior to 1.39.14, as well as 1.43.4 and 1.44.1, while Parsoid versions before 0.16.6, 0.20.4, and 0.21.1 are also susceptible. Immediate action is recommended to mitigate the risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MediaWiki * < 1.39.14, 1.43.4, 1.44.1

Parsoid * < 0.16.6, 0.20.4, 0.21.1

References

https://phabricator.wikimedia.org/T401099

CVSS V4

Score:
Severity:
NONE
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.