VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Feb 3, 2026· Updated Apr 9, 2026

CVE-2025-67475

CVE-2025-67475

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php.

This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MediaWiki before 1.39.16, 1.43.6, 1.44.3, 1.45.1 has a stored XSS vulnerability in CommentParser.php due to improper input neutralization.

A stored cross-site scripting (XSS) vulnerability exists in MediaWiki's CommentFormatter component, specifically in the CommentParser.php file [1]. The vulnerability is caused by improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript code that will be executed when other users view the affected comment [1].

To exploit this issue, an attacker must have the ability to post or edit comments on a MediaWiki site. The vulnerability does not require authentication beyond normal user privileges, but the attacker must be able to submit input that is stored and later rendered as part of a comment [1]. The attack vector is network-based, and user interaction, and the scope is changed, meaning the injected script could affect other pages outside the comment itself.

The impact includes potential disclosure of sensitive session cookies, page redirection, or other malicious actions. The CVSS v3 base score is 6.1 (Medium), with low attack complexity and low privileges required [1].

Mitigation is available by upgrading to MediaWiki versions 1.39.16, 1.43.6, 1.44.3, 1.45.1 or later, which include the fix. No workarounds have been publicly documented, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [1].

References
  1. Log In or Register with LDAP

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • MediaWiki/Mediawiki2 versions
    cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*range: >=1.39.0,<1.39.16
    • cpe:2.3:a:mediawiki:mediawiki:1.45.0:*:*:*:*:*:*:*
  • Wikimedia Foundation/Mediawikillm-fuzzy
    Range: <1.39.16, >=1.39.0 <1.39.16, >=1.43.0 <1.43.6, >=1.44.0 <1.44.3, >=1.45.0 <1.45.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.