Bug 2436189 (CVE-2025-67481)

Summary: CVE-2025-67481 MediaWiki: MediaWiki: Cross-site Scripting vulnerability via improper input neutralization
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in MediaWiki. This vulnerability, known as Cross-site Scripting (XSS), allows a remote attacker to inject malicious scripts into web pages. By failing to properly neutralize input during web page generation, MediaWiki can be exploited to execute arbitrary code in the context of a user's browser, potentially leading to information disclosure or unauthorized actions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2436297, 2436303    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-03 03:01:19 UTC 
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js.

This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.