{"id":"CVE-2025-61638","details":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php.\n\nThis issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1.","modified":"2026-04-16T04:42:19.832064294Z","published":"2026-02-03T00:16:09.617Z","references":[{"type":"ADVISORY","url":"https://phabricator.wikimedia.org/T401099"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wikimedia/mediawiki","events":[{"introduced":"0"},{"fixed":"4db15f479679fa4102789af77077c357af462501"},{"introduced":"0f21d5c6a37f7baa19c33a4f96bc04ab7992ca42"},{"fixed":"c4b6b0912db6e5e4d3c0368226d4a164a1fc9fc3"},{"introduced":"b2a11b6991c9aafa44dd5bc743746123849eafb3"},{"fixed":"02f60e14ba59bfe6d4533054d7951887bc5f3702"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.39.14"},{"introduced":"1.39.15"},{"fixed":"1.43.4"},{"introduced":"1.43.5"},{"fixed":"1.44.1"}]}},{"type":"GIT","repo":"https://github.com/wikimedia/parsoid","events":[{"introduced":"0"},{"fixed":"622dab8dacffd08ec092071ee78499c62e936391"},{"introduced":"0"},{"fixed":"75f04e1f7b6f46af9437a34ecf72b1953c5ab59c"},{"introduced":"0"},{"fixed":"73dd5f50537b9f72f70ca53c723124a2d26c1427"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.16.6"},{"introduced":"0"},{"fixed":"0.20.4"},{"introduced":"0"},{"fixed":"0.21.1"}]}}],"versions":["0.12.0-a1","0.19.0-a14","1.1.0","1.3.0beta1","1.39.0","1.39.0-rc.0","1.39.0-rc.1","1.39.1","1.39.10","1.39.11","1.39.12","1.39.13","1.39.2","1.39.3","1.39.4","1.39.5","1.39.6","1.39.7","1.39.8","1.39.9","1.43.0","1.43.0-rc.0","1.43.1","1.43.2","1.43.3","1.44.0","1.44.0-rc.0","1.5.0alpha1","1.5.0alpha2","1.5.0beta1","1.5.0beta2","1.5.0beta3","1.5.0beta4","1.6.0","test-isabelle","v0.10.0","v0.11.0","v0.12.0-a10","v0.12.0-a11","v0.12.0-a12","v0.12.0-a13","v0.12.0-a14","v0.12.0-a15","v0.12.0-a16","v0.12.0-a17","v0.12.0-a18","v0.12.0-a19","v0.12.0-a20","v0.12.0-a21","v0.12.0-a22","v0.12.0-a3","v0.12.0-a4","v0.12.0-a5","v0.12.0-a6","v0.12.0-a7","v0.12.0-a8","v0.12.0-a9","v0.13.0","v0.13.0-a1","v0.13.0-a10","v0.13.0-a11","v0.13.0-a12","v0.13.0-a14","v0.13.0-a15","v0.13.0-a17","v0.13.0-a18","v0.13.0-a19","v0.13.0-a2","v0.13.0-a20","v0.13.0-a21","v0.13.0-a22","v0.13.0-a23","v0.13.0-a24","v0.13.0-a25","v0.13.0-a26","v0.13.0-a27","v0.13.0-a28","v0.13.0-a29","v0.13.0-a30","v0.13.0-a31","v0.13.0-a32","v0.13.0-a4","v0.13.0-a5","v0.13.0-a6","v0.13.0-a7","v0.13.0-a8","v0.13.0-a9","v0.14.0-a1","v0.14.0-a11","v0.14.0-a12","v0.14.0-a13","v0.14.0-a14","v0.14.0-a15","v0.14.0-a16","v0.14.0-a17","v0.14.0-a18","v0.14.0-a19","v0.14.0-a2","v0.14.0-a3","v0.14.0-a4","v0.14.0-a5","v0.14.0-a6","v0.14.0-a7","v0.14.0-a8","v0.14.0-a9","v0.15.0-a1","v0.15.0-a10","v0.15.0-a11","v0.15.0-a12","v0.15.0-a13","v0.15.0-a14","v0.15.0-a15","v0.15.0-a16","v0.15.0-a17","v0.15.0-a18","v0.15.0-a19","v0.15.0-a2","v0.15.0-a20","v0.15.0-a21","v0.15.0-a22","v0.15.0-a23","v0.15.0-a24","v0.15.0-a25","v0.15.0-a26","v0.15.0-a3","v0.15.0-a4","v0.15.0-a5","v0.15.0-a6","v0.15.0-a7","v0.15.0-a8","v0.16.0","v0.16.0-a1","v0.16.0-a10","v0.16.0-a11","v0.16.0-a12","v0.16.0-a13","v0.16.0-a14","v0.16.0-a15","v0.16.0-a16","v0.16.0-a17","v0.16.0-a18","v0.16.0-a19","v0.16.0-a2","v0.16.0-a20","v0.16.0-a21","v0.16.0-a3","v0.16.0-a4","v0.16.0-a5","v0.16.0-a6","v0.16.0-a7","v0.16.0-a8","v0.16.0-a9","v0.16.1","v0.16.2","v0.16.3","v0.16.4","v0.16.5","v0.17.0-a1","v0.17.0-a10","v0.17.0-a11","v0.17.0-a12","v0.17.0-a13","v0.17.0-a14","v0.17.0-a15","v0.17.0-a17","v0.17.0-a18","v0.17.0-a19","v0.17.0-a2","v0.17.0-a20","v0.17.0-a21","v0.17.0-a3","v0.17.0-a4","v0.17.0-a5","v0.17.0-a7","v0.17.0-a8","v0.17.0-a9","v0.18.0-a1","v0.18.0-a10","v0.18.0-a11","v0.18.0-a12","v0.18.0-a13","v0.18.0-a14","v0.18.0-a15","v0.18.0-a16","v0.18.0-a17","v0.18.0-a18","v0.18.0-a19","v0.18.0-a2","v0.18.0-a20","v0.18.0-a21","v0.18.0-a22","v0.18.0-a23","v0.18.0-a24","v0.18.0-a25","v0.18.0-a26","v0.18.0-a27","v0.18.0-a28","v0.18.0-a29","v0.18.0-a3","v0.18.0-a4","v0.18.0-a5","v0.18.0-a6","v0.18.0-a7","v0.18.0-a8","v0.18.0-a9","v0.19.0-a1","v0.19.0-a10","v0.19.0-a11","v0.19.0-a12","v0.19.0-a13","v0.19.0-a14","v0.19.0-a15","v0.19.0-a16","v0.19.0-a17","v0.19.0-a18","v0.19.0-a19","v0.19.0-a2","v0.19.0-a20","v0.19.0-a21","v0.19.0-a22","v0.19.0-a23","v0.19.0-a24","v0.19.0-a25","v0.19.0-a3","v0.19.0-a4","v0.19.0-a5","v0.19.0-a6","v0.19.0-a7","v0.19.0-a8","v0.19.0-a9","v0.2.0","v0.20.0","v0.20.0-a1","v0.20.0-a10","v0.20.0-a11","v0.20.0-a12","v0.20.0-a13","v0.20.0-a14","v0.20.0-a15","v0.20.0-a16","v0.20.0-a17","v0.20.0-a18","v0.20.0-a19","v0.20.0-a2","v0.20.0-a20","v0.20.0-a21","v0.20.0-a22","v0.20.0-a23","v0.20.0-a24","v0.20.0-a25","v0.20.0-a27","v0.20.0-a3","v0.20.0-a4","v0.20.0-a5","v0.20.0-a6","v0.20.0-a7","v0.20.0-a8","v0.20.0-a9","v0.20.1","v0.20.2","v0.20.3","v0.21.0","v0.21.0-a1","v0.21.0-a10","v0.21.0-a11","v0.21.0-a12","v0.21.0-a13","v0.21.0-a14","v0.21.0-a15","v0.21.0-a16","v0.21.0-a17","v0.21.0-a19","v0.21.0-a2","v0.21.0-a20","v0.21.0-a21","v0.21.0-a22","v0.21.0-a23","v0.21.0-a24","v0.21.0-a25","v0.21.0-a26","v0.21.0-a27","v0.21.0-a28","v0.21.0-a3","v0.21.0-a4","v0.21.0-a5","v0.21.0-a6","v0.21.0-a7","v0.21.0-a8","v0.21.0-a9","v0.22.0-a1","v0.3.0","v0.4.0","v0.4.1","v0.5.0","v0.5.1","v0.5.2","v0.6.0","v0.6.1","v0.7.0","v0.7.1","v0.8.0","v0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61638.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}