MediaWiki 1.39.14
3 October 2025
MediaWiki version 1.39.14 is now available (security release).
Upgrading to MediaWiki 1.39.14
MediaWiki 1.39.14 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.39.14 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.39.14
Security
- (T401099, CVE-2025-61638) SECURITY: Sanitize data- attributes.
- (T280413, CVE-2025-61639) SECURITY: Use ManualLogEntry::getDeleted in ::getRecentChange.
- (T402075, CVE-2025-61640) SECURITY: Parse messages instead of inserting them as HTML.
- (T298690, CVE-2025-61641) SECURITY: api: Disable maxsize in QueryAllPages in miser mode.
- (T403757, CVE-2025-61643) SECURITY: Don't send suppressed recent changes to RCFeeds.
- (T398706, CVE-2025-61646) SECURITY: Prevent leaking hidden usernames in Watchlist/RecentChanges.
Bug Fixes and Changes
- Localisation updates.
- (T399672) mime: Add mime types for *.less.
- ParserCacheSerializationTestCases: back port ParserOutput changes from 1.45.
- ParserCacheSerializationTestCases: distinguish empty ToC from missing ToC.
- Fix attachLatest --regenerate-all creating invalid SQL command.
- (T322099) Make RequestContext::sanitizeLangCode() accept null.
- (T380456) exception: Avoid service container init in exception handler.
- diff: Avoid Phan warning with some Wikidiff2 versions.
- (T387408) exception: Skip use of HookRunner when not autoloaded.
- (T327439) ParserOutput: Prepare to allow JsonCodec serialization of TOCData.
- media: Remove pass-by-ref in Exif::exifGPStoNumber.
- (T386208) Exif: Handle malformed gps tags.
- i18n: Add Special:MyLanguage to mediawiki.org links.
- (T380423) Show user a human readable message when $wgLocaltimezone is set to an invalid timezone.
- (T374042) PostgresUpdater: Fix typo in sites_group index renaming instruction.
- (T401570) rdbms: Fix read-only detection for MariaDB 12.
- (T400881) filerepo: Improve identification of ForeignAPIRepo requests.
- (T402037) config: Change Reauthenticate Time Default.
- SimpleParsoidOutputStash: protect against rollback from MW >= 1.43.
- (T401099, CVE-2025-61638) Upgrading wikimedia/parsoid (v0.16.5 => v0.16.6).
- (T394968) Metadata: ignore LocationCreated, similar to LocationShown.
- (T304428) Allow marking recent changes about logged actions with bot flag.
- (T400505) Regenerate patch-drop-page_restrictions-pr_user.sql for SQLite.