MGASA-2025-0260

i18n XSS vulnerability in HTMLMultiSelectField when sections are used. (CVE-2025-3469) "reupload-own" restriction can be bypassed by reverting file. (CVE-2025-32696) Cascading protection is not preventing file reversions. (CVE-2025-32697) LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions. (CVE-2025-32698) Potential javascript injection attack enabled by Unicode normalization in Action API. (CVE-2025-32699) AbuseFilter log interfaces expose global private and hidden filters when central DB is not available. (CVE-2025-32700) HTML injection in feed output from i18n message. (CVE-2025-32072) OATHAuth extension: Reauthentication for enabling 2FA can be bypassed by submitting a form in Special:OATHManage. (CVE-2025-11173) Stored i18n Cross-site scripting (XSS) vulnerability in mw.language.listToText. (CVE-2025-11261) ConfirmEdit extension: Missing rate limiting in ApiFancyCaptchaReload. (CVE-2025-61635) Parsoid: Validation bypass for data- attributes. (CVE-2025-61638) Log entries which are hidden from the creation of the entry may be disclosed to the public recent change entry. (CVE-2025-61639) Stored i18n Cross-site scripting (XSS) vulnerability in Special:RecentChangesLinked. (CVE-2025-61640) DDoS vulnerability in QueryAllPages API in miser mode. The maxsize value is now ignored in that mode. (CVE-2025-61641) Suppressed recent changes may be disclosed to the public RCFeeds. (CVE-2025-61643) Public Watchlist/RecentChanges pages may disclose hidden usernames when an individual editor makes consecutive revisions on a single page, and only some are marked as hidden username. (CVE-2025-61646) TextExtracts extension: Information disclosure vulnerability in the extracts API action endpoint due to missing read permission check. (CVE-2025-61653) VisualEditor extension: Stored i18n Cross-site scripting (XSS) vulnerability in lastModifiedAt system messages. (CVE-2025-61655) VisualEditor extension: Missing attribute validation for attributes unwrapped from data-ve-attributes. (CVE-2025-61656)