CVE-2025-11173
OATHAuth extension: Reauthentication for enabling 2FA can be
bypassed by submitting a form in Special:OATHManage.
CVE-2025-11261
Stored i18n Cross-site scripting (XSS) vulnerability in
mw.language.listToText.
CVE-2025-61635
ConfirmEdit extension: Missing rate limiting in
ApiFancyCaptchaReload.
CVE-2025-61638
Parsoid: Validation bypass for `data-` attributes.
CVE-2025-61639
Log entries which are hidden from the creation of the entry may be
disclosed to the public recent change entry.
CVE-2025-61640
Stored i18n Cross-site scripting (XSS) vulnerability in
Special:RecentChangesLinked.
CVE-2025-61641
DDoS vulnerability in QueryAllPages API in miser mode. The
`maxsize` value is now ignored in that mode.
CVE-2025-61643
Suppressed recent changes may be disclosed to the public RCFeeds.
CVE-2025-61646
Public Watchlist/RecentChanges pages may disclose hidden usernames
when an individual editor makes consecutive revisions on a single
Get the latest Linux and open source security news straight to your inbox.