CVE-2025-61636

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php.

This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

References

https://phabricator.wikimedia.org/T394396

Affected packages

Git / github.com/wikimedia/mediawiki

Affected ranges

Type

GIT

Repo

https://github.com/wikimedia/mediawiki

Events

Introduced

Fixed

4db15f479679fa4102789af77077c357af462501

Introduced

0f21d5c6a37f7baa19c33a4f96bc04ab7992ca42

Fixed

c4b6b0912db6e5e4d3c0368226d4a164a1fc9fc3

Introduced

b2a11b6991c9aafa44dd5bc743746123849eafb3

Fixed

02f60e14ba59bfe6d4533054d7951887bc5f3702

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.39.14"
        },
        {
            "introduced": "1.39.15"
        },
        {
            "fixed": "1.43.4"
        },
        {
            "introduced": "1.43.5"
        },
        {
            "fixed": "1.44.1"
        }
    ]
}

Affected versions

1.*

1.1.0

1.3.0beta1

1.39.0

1.39.0-rc.0

1.39.0-rc.1

1.39.1

1.39.10

1.39.11

1.39.12

1.39.13

1.39.2

1.39.3

1.39.4

1.39.5

1.39.6

1.39.7

1.39.8

1.39.9

1.43.0

1.43.0-rc.0

1.43.1

1.43.2

1.43.3

1.44.0

1.44.0-rc.0

1.5.0alpha1

1.5.0alpha2

1.5.0beta1

1.5.0beta2

1.5.0beta3

1.5.0beta4

1.6.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61636.json"