MediaWiki MediaSearch Extension Stored XSS Vulnerability (CVE-2025-53496)

Key Information Vulnerability ID: CVE-2025-53496 Vulnerability Type: Stored XSS (Cross-Site Scripting) Affected Component: MediaSearch extension Description: The MediaSearch extension allows HTML to be inserted into system messages, leading to a stored XSS vulnerability. Cause: The MediaWiki MediaSearch extension does not properly sanitize user-supplied HTML content, allowing malicious scripts to be stored and executed when displayed later. Fixed Version: This vulnerability is fixed in MediaWiki 1.41.0-wmf.28 and later versions. Additional Information Related Patches: - Patch #1: SECURITY: Insert message as text instead of HTML - Patch #2: SECURITY: Insert message as text instead of HTML - Patch #3: SECURITY: Insert message as text instead of HTML - Patch #4: SECURITY: Insert message as text instead of HTML - Patch #5: SECURITY: Insert message as text instead of HTML - Patch #6: SECURITY: Insert message as text instead of HTML - Patch #7: SECURITY: Insert message as text instead of HTML - Patch #8: SECURITY: Insert message as text instead of HTML - Patch #9: SECURITY: Insert message as text instead of HTML - Patch #10: SECURITY: Insert message as text instead of HTML - Patch #11: SECURITY: Insert message as text instead of HTML - Patch #12: SECURITY: Insert message as text instead of HTML - Patch #13: SECURITY: Insert message as text instead of HTML - Patch #14: SECURITY: Insert message as text instead of HTML - Patch #15: SECURITY: Insert message as text instead of HTML - Patch #16: SECURITY: Insert message as text instead of HTML - Patch #17: SECURITY: Insert message as text instead of HTML - Patch #18: SECURITY: Insert message as text instead of HTML - Patch #19: SECURITY: Insert message as text instead of HTML - Patch #20: SECURITY: Insert message as text instead of HTML - Patch #21: SECURITY: Insert message as text instead of HTML - Patch #22: SECURITY: Insert message as text instead of HTML - Patch #23: SECURITY: Insert message as text instead of HTML - Patch #24: SECURITY: Insert message as text instead of HTML - Patch #25: SECURITY: Insert message as text instead of HTML - Patch #26: SECURITY: Insert message as text instead of HTML - Patch #27: SECURITY: Insert message as text instead of HTML - Patch #28: SECURITY: Insert message as text instead of HTML - Patch #29: SECURITY: Insert message as text instead of HTML - Patch #30: SECURITY: Insert message as text instead of HTML - Patch #31: SECURITY: Insert message as text instead of HTML - Patch #32: SECURITY: Insert message as text instead of HTML - Patch #33: SECURITY: Insert message as text instead of HTML - Patch #34: SECURITY: Insert message as text instead of HTML - Patch #35: SECURITY: Insert message as text instead of HTML - Patch #36: SECURITY: Insert message as text instead of HTML - Patch #37: SECURITY: Insert message as text instead of HTML - Patch #38: SECURITY: Insert message as text instead of HTML - Patch #39: SECURITY: Insert message as text instead of HTML - Patch #40: SECURITY: Insert message as text instead of HTML - Patch #41: SECURITY: Insert message as text instead of HTML - Patch #42: SECURITY: Insert message as text instead of HTML - Patch #43: SECURITY: Insert message as text instead of HTML - Patch #44: SECURITY: Insert message as text instead of HTML - Patch #45: SECURITY: Insert message as text instead of HTML - Patch #46: SECURITY: Insert message as text instead of HTML - Patch #47: SECURITY: Insert message as text instead of HTML - Patch #48: SECURITY: Insert message as text instead of HTML - Patch #49: SECURITY: Insert message as text instead of HTML - Patch #50: SECURITY: Insert message as text instead of HTML - Patch #51: SECURITY: Insert message as text instead of HTML - Patch #52: SECURITY: Insert message as text instead of HTML - Patch #53: SECURITY: Insert message as text instead of HTML - Patch #54: SECURITY: Insert message as text instead of HTML - Patch #55: SECURITY: Insert message as text instead of HTML - Patch #56: SECURITY: Insert message as text instead of HTML - Patch #57: SECURITY: Insert message as text instead of HTML - Patch #58: SECURITY: Insert message as text instead of HTML - Patch #59: SECURITY: Insert message as text instead of HTML - Patch #60: SECURITY: Insert message as text instead of HTML - Patch #61: SECURITY: Insert message as text instead of HTML - Patch #62: SECURITY: Insert message as text instead of HTML - Patch #63: SECURITY: Insert message as text instead of HTML - Patch #64: SECURITY: Insert message as text instead of HTML - Patch #65: SECURITY: Insert message as text instead of HTML - Patch #66: SECURITY: Insert message as text instead of HTML - Patch #67: SECURITY: Insert message as text instead of HTML - Patch #68: SECURITY: Insert message as text instead of HTML - Patch #69: SECURITY: Insert message as text instead of HTML - Patch #70: SECURITY: Insert message as text instead of HTML - Patch #71: SECURITY: Insert message as text instead of HTML - Patch #72: SECURITY: Insert me

Goal Reached Thanks to every supporter — we hit 100%!

MediaWiki MediaSearch Extension Stored XSS Vulnerability (CVE-2025-53496)