CVE-2025-61642— Stored XSS through system messages provided to CodexHtmlForms

EPSS 0.01% · P0 Updated Feb 04, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-61642

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Stored XSS through system messages provided to CodexHtmlForms

Source: NVD (National Vulnerability Database)

Vulnerability Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

MediaWiki 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

MediaWiki是美国维基媒体（Wikimedia）基金会的一套自由免费的基于网络的Wiki引擎。该产品可用于部署内部的知识管理和内容管理系统。 MediaWiki 1.39.14之前版本、1.43.4之前版本和1.44.1之前版本存在安全漏洞，该漏洞源于程序文件includes/htmlform/CodexHTMLForm.Php和includes/htmlform/fields/HTMLButtonField.Php存在输入中和不当，可能导致跨站脚本攻击。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Wikimedia Foundation	MediaWiki	* ~ 1.39.14, 1.43.4, 1.44.1	-

II. Public POCs for CVE-2025-61642

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-61642

请登录查看更多情报信息。

https://nvd.nist.gov/vuln/detail/CVE-2025-61642

Same Patch Batch · Wikimedia Foundation · 2026-02-02 · 21 CVEs total

CVE-2025-61635		Add rate limiting to ApiFancyCaptchaReload
CVE-2025-61644		i18n XSS through Special:Watchlist
CVE-2025-61643		EventStreams publishes suppressed recent change entries that are suppressed from their cre
CVE-2025-61641		API list=allpages with maxsize is making really slow queries
CVE-2025-61638		Sanitizer::validateAttributes data-XSS
CVE-2025-61634		HTML rest endpoint needs PoolCounter and proper parser cache check
CVE-2025-61640		Stored XSS through system messages in Special:RecentChangesLinked (MW Core)
CVE-2025-61637		Stored XSS through system messages in MW Core
CVE-2025-61639		Suppressed blocked IP is visible in Special:BlockList, RC, and other places
CVE-2025-61636		Codex Special:Block vulnerable to message key XSS
CVE-2025-6594		XSS in Special:ApiSandbox
CVE-2025-6591		HTML injection in API action=feedcontributions output from i18n message
CVE-2025-6595		MediaWiki 安全漏洞
CVE-2025-6592		Creating a permanent account from a temporary account associates temp username and IP addr
CVE-2025-6927		Autoblocks from global account suppressions are publicly visible
CVE-2025-6597		MediaWiki should not consider autocreation as login for the purposes of security reauthent
CVE-2025-6596		Vector inserts portlet labels as HTML, allowing for stored XSS through system messages
CVE-2025-6593		"{{SITENAME}} registered email address has been changed" email sent to unverified email ad
CVE-2025-6589		With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hi
CVE-2025-6590		Complete content leak of private wikis due to PasswordReset Wikitext injection in error me

IV. Related Vulnerabilities

Same product: MediaWiki

Same vendor: Wikimedia Foundation

Same weakness: CWE-79

V. Comments for CVE-2025-61642

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-61642— Stored XSS through system messages provided to CodexHtmlForms

I. Basic Information for CVE-2025-61642

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-61642

III. Intelligence Information for CVE-2025-61642

Same Patch Batch · Wikimedia Foundation · 2026-02-02 · 21 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2025-61642

Leave a comment