MediaWiki 1.39.13
2 July 2025
MediaWiki version 1.39.13 is now available (security release).
Upgrading to MediaWiki 1.39.13
MediaWiki 1.39.13 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.39.13 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.39.13
Security
- (T392746, CVE-2025-6590) SECURITY: Escape usernames in HTMLUserTextField validation errors.
- (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in action=feedcontributions.
- (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email.
- (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS when invalid 'format' is provided.
- (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as login for reauthentication.
Bug Fixes and Changes
- Localisation updates.
- (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils.
- (T391867) http: Handle accept header with incomplete q.
- Update Pingback address.
- (T393879) objectcache: Cast explicitly to integer.
- (T394989) FormatMetadata::formatFraction: Don't risk passing null to preg_match.
- (T395834) Treat File::getShortDesc() as possibly unsafe HTML.
- (T396766) ApiQueryRevisionsBase: Cast ctype_digit() param to string.
- (T221560) Remove hyphens from legal search characters for MySQL-based database searches.
- ParserCache forward-compatibility: anticipate removal of OutputHooks.
- Protect against ParserOutput/CacheTime re-namespacing.
- ParserCache forward-compatibility: anticipate removal of TOCHTML.
- SerializationTestUtils: handle 1.xx_wmf* versions; don't fail immediately.
- AuthManager: Be consistent about the remember flag on autocreate.
- (T397883, T397643) htmlform: fix min/max validations on empty input in int/float fields.