CVE-2025-61655

Name	CVE-2025-61655
Description	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4355-1, DSA-6085-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mediawiki (PTS)	bullseye	1:1.35.13-1+deb11u2	vulnerable
	bullseye (security)	1:1.35.13-1+deb11u6	fixed
	bookworm, bookworm (security)	1:1.39.17-1~deb12u1	fixed
	trixie (security), trixie	1:1.43.6+dfsg-1~deb13u1	fixed
	forky, sid	1:1.43.6+dfsg-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
mediawiki	source	bullseye	1:1.35.13-1+deb11u5	DLA-4355-1
mediawiki	source	bookworm	1:1.39.17-1~deb12u1	DSA-6085-1
mediawiki	source	trixie	1:1.43.6+dfsg-1~deb13u1	DSA-6085-1
mediawiki	source	(unstable)	1:1.43.5+dfsg-1

https://phabricator.wikimedia.org/T395858
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualEditor/+/1193248