{"id":"CVE-2025-11261","details":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js.\n\nThis issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2.","modified":"2026-07-15T06:21:45.676700Z","published":"2026-02-03T01:15:57.483Z","references":[{"type":"WEB","url":"https://https://phabricator.wikimedia.org/T406322"},{"type":"REPORT","url":"https://phabricator.wikimedia.org/T402077"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wikimedia/mediawiki","events":[{"introduced":"0"},{"fixed":"0f21d5c6a37f7baa19c33a4f96bc04ab7992ca42"},{"introduced":"8216997ffcc956a610635f07044fb9a3b5dda9d9"},{"fixed":"b2a11b6991c9aafa44dd5bc743746123849eafb3"},{"introduced":"858ee255edbe0da2ff8152df403cac2dba2c9948"},{"fixed":"ed6df93416845d268d2469670491b9ae222ab9e7"}],"database_specific":{"cpe":"cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.39.15"},{"introduced":"1.43.0"},{"fixed":"1.43.5"},{"introduced":"1.44.0"},{"fixed":"1.44.2"}],"source":"CPE_RANGE"}}],"versions":["1.43.4","1.39.14","1.44.0","1.43.3","1.43.2","1.39.13","1.43.1","1.39.12","1.43.0","1.39.11","1.39.10","1.39.9","1.39.8","1.39.7","1.39.7-alpha-T317451.2","1.39.6","1.39.5","1.39.4","1.39.3","1.39.2","1.39.1","1.39.0","1.39.0-rc.1","1.39.0-rc.0","test-hashar-for-ci","1.6.0","1.5.0beta4","1.5.0beta3","1.5.0beta2","1.5.0beta1","1.5.0alpha2","1.5.0alpha1","1.3.0beta1","1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11261.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}