diff --git a/README.md b/README.md
index 32387e6b..2dfc6b00 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,16 @@
 请参考 [官网介绍](https://www.xmoj-bbs.me) 。
 如果您无法打开该网站，请前往[这里](https://scriptcat.org/zh-CN/script-show-page/1500/)安装。
 
+### 实验功能：短消息 WebUI
+
+仓库中新增了一个实验页面 `webui.html`，用于在不安装用户脚本时访问短消息相关能力（拉取会话、查看消息、发送消息、粘贴上传图片）。
+
+- 推荐启动代理模式：`node tools/webui-proxy.mjs`，然后访问 `http://127.0.0.1:8787/webui.html`。
+- 代理模式下支持直接输入用户名/密码登录并自动获取 `PHPSESSID`；同时也支持手动粘贴 `PHPSESSID`。
+- 直连模式（直接打开页面）受浏览器跨域限制，账号密码登录可能不可用，此时建议改用代理模式。
+- 安全策略：密码仅用于发起登录请求，不会在前端存储；会话信息仅存储在当前标签页的 `sessionStorage`，可一键清除。
+- 维护策略：API 调用格式与现有脚本中的 `RequestAPI` 保持一致，便于后续复用和统一维护。
+
 ### 贡献
 您想为我们的脚本添砖加瓦吗？快加入我们，为小明的OJ用户创造更美好的环境！（具体要求参见Code Of Conduct）
 
@@ -105,4 +115,3 @@
 <!-- ALL-CONTRIBUTORS-LIST:END -->
 
 
-
diff --git a/Update.json b/Update.json
index 38e5a669..d37a21c3 100644
--- a/Update.json
+++ b/Update.json
@@ -2937,7 +2937,7 @@
             ],
             "Notes": "No release notes were provided for this release."
         },
-        "1.10.0": {
+        "1.999990.0": {
             "UpdateDate": 1753443146018,
             "Prerelease": false,
             "UpdateContents": [
@@ -3424,4 +3424,4 @@
             "Notes": "<b>Bug 修复</b><br>\n- 修复了暗色模式下比赛排名表（contestrank-oi.php 和 contestrank-correct.php）颜色显示异常的问题（#916）<br>\n- 修复了 WebSocket 弹窗通知未遵循各功能独立弹窗开关（BBSPopup/MessagePopup）的问题（#919）"
         }
     }
-}
\ No newline at end of file
+}
diff --git a/index.html b/index.html
index 268a37b2..a5901bc6 100644
--- a/index.html
+++ b/index.html
@@ -41,6 +41,9 @@
                     <li class="nav-item">
                         <a class="nav-link" href="#Install">安装</a>
                     </li>
+                    <li class="nav-item">
+                        <a class="nav-link" href="webui.html">短消息 WebUI（实验）</a>
+                    </li>
                     <li class="nav-item">
                         <a class="nav-link" href="#Feedback">反馈</a>
                     </li>
diff --git a/tools/webui-proxy.mjs b/tools/webui-proxy.mjs
new file mode 100644
index 00000000..f198a926
--- /dev/null
+++ b/tools/webui-proxy.mjs
@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+import { createServer } from 'node:http';
+import { readFile } from 'node:fs/promises';
+import { createHash } from 'node:crypto';
+import { extname, join, normalize } from 'node:path';
+
+const HOST = process.env.HOST || '0.0.0.0';
+const PORT = Number(process.env.PORT || 8787);
+const ROOT = process.cwd();
+
+const MIME = {
+  '.html': 'text/html; charset=utf-8',
+  '.js': 'application/javascript; charset=utf-8',
+  '.mjs': 'application/javascript; charset=utf-8',
+  '.css': 'text/css; charset=utf-8',
+  '.json': 'application/json; charset=utf-8',
+  '.png': 'image/png',
+  '.jpg': 'image/jpeg',
+  '.jpeg': 'image/jpeg',
+  '.svg': 'image/svg+xml',
+  '.ico': 'image/x-icon'
+};
+
+const MAX_BODY = 15 * 1024 * 1024;
+
+function json(res, code, payload) {
+  res.writeHead(code, { 'Content-Type': 'application/json; charset=utf-8' });
+  res.end(JSON.stringify(payload));
+}
+
+function parseCookie(setCookie = '') {
+  const match = setCookie.match(/PHPSESSID=([^;]+)/i);
+  return match ? match[1] : '';
+}
+
+function md5(input) {
+  return createHash('md5').update(input).digest('hex');
+}
+
+async function readBody(req) {
+  const chunks = [];
+  let size = 0;
+  for await (const chunk of req) {
+    size += chunk.length;
+    if (size > MAX_BODY) throw new Error('请求体过大');
+    chunks.push(chunk);
+  }
+  if (chunks.length === 0) return {};
+  const raw = Buffer.concat(chunks).toString('utf8');
+  return raw ? JSON.parse(raw) : {};
+}
+
+async function handleLogin(req, res) {
+  const body = await readBody(req);
+  const username = String(body.username || '').trim();
+  const password = String(body.password || '');
+  if (!username || !password) {
+    return json(res, 400, { success: false, message: '用户名或密码不能为空。' });
+  }
+
+  const form = new URLSearchParams();
+  form.set('user_id', username);
+  form.set('password', md5(password));
+
+  const response = await fetch('https://www.xmoj.tech/login.php', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: form.toString(),
+    redirect: 'manual'
+  });
+
+  const text = await response.text();
+  const setCookie = response.headers.get('set-cookie') || '';
+  const sessionId = parseCookie(setCookie);
+
+  if (!sessionId) {
+    const maybeSuccess = text.includes('history.go(-2);');
+    return json(res, 401, {
+      success: false,
+      message: maybeSuccess ? '登录结果无法解析，请重试。' : '用户名或密码错误。'
+    });
+  }
+
+  return json(res, 200, {
+    success: true,
+    username,
+    sessionId
+  });
+}
+
+async function handleApiProxy(req, res, action) {
+  const body = await readBody(req);
+  const response = await fetch(`https://api.xmoj-bbs.me/${action}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(body)
+  });
+  const text = await response.text();
+  res.writeHead(response.status, { 'Content-Type': 'application/json; charset=utf-8' });
+  res.end(text);
+}
+
+async function serveStatic(req, res, pathname) {
+  const clean = normalize(pathname).replace(/^\/+/, '');
+  const file = clean === '' ? 'index.html' : clean;
+  if (file.includes('..')) {
+    res.writeHead(403);
+    res.end('Forbidden');
+    return;
+  }
+  const fullPath = join(ROOT, file);
+  try {
+    const data = await readFile(fullPath);
+    const type = MIME[extname(fullPath)] || 'application/octet-stream';
+    res.writeHead(200, { 'Content-Type': type });
+    res.end(data);
+  } catch {
+    res.writeHead(404, { 'Content-Type': 'text/plain; charset=utf-8' });
+    res.end('Not Found');
+  }
+}
+
+createServer(async (req, res) => {
+  try {
+    const url = new URL(req.url || '/', `http://${req.headers.host}`);
+    const pathname = url.pathname;
+
+    if (pathname === '/__webui/health') {
+      return json(res, 200, { success: true, mode: 'proxy' });
+    }
+    if (pathname === '/__webui/login' && req.method === 'POST') {
+      return await handleLogin(req, res);
+    }
+    if (pathname.startsWith('/__webui/api/') && req.method === 'POST') {
+      const action = pathname.substring('/__webui/api/'.length);
+      if (!action) return json(res, 400, { success: false, message: '缺少 action' });
+      return await handleApiProxy(req, res, action);
+    }
+
+    return await serveStatic(req, res, pathname);
+  } catch (error) {
+    return json(res, 500, { success: false, message: error.message || 'Internal error' });
+  }
+}).listen(PORT, HOST, () => {
+  console.log(`[webui-proxy] http://${HOST}:${PORT}`);
+});
diff --git a/webui.html b/webui.html
new file mode 100644
index 00000000..de0d7de4
--- /dev/null
+++ b/webui.html
@@ -0,0 +1,395 @@
+<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width,initial-scale=1" />
+  <title>XMOJ 短消息 WebUI（实验）</title>
+  <link href="https://cdn.bootcdn.net/ajax/libs/twitter-bootstrap/5.2.3/css/bootstrap.min.css" rel="stylesheet">
+  <script src="https://cdn.bootcdn.net/ajax/libs/blueimp-md5/2.19.0/js/md5.min.js"></script>
+  <style>
+    body { background: #f7f8fa; }
+    .message-list { max-height: 60vh; overflow: auto; }
+    .message-bubble { border-radius: 12px; padding: 10px 12px; margin-bottom: 8px; white-space: pre-wrap; word-break: break-word; }
+    .message-in { background: #fff; border: 1px solid #e6eaf0; }
+    .message-out { background: #d9fdd3; border: 1px solid #b9e6b2; }
+    .message-meta { font-size: 12px; color: #6c757d; }
+    .conversation-item { cursor: pointer; }
+    .conversation-item.active { background: #ebf2ff; }
+    .safe-note { font-size: 13px; color: #6c757d; }
+    .image-preview { max-width: 320px; border-radius: 8px; display: block; margin-top: 6px; }
+  </style>
+</head>
+<body>
+<div class="container py-4">
+  <h1 class="h3 mb-3">XMOJ 短消息 WebUI（实验）</h1>
+  <p class="safe-note mb-2">密码仅用于单次登录请求，不落盘；会话仅保存在当前标签页的 <code>sessionStorage</code>，可手动清除。</p>
+  <div id="modeBanner" class="alert alert-info py-2">正在检测运行模式...</div>
+
+  <div class="card mb-3">
+    <div class="card-body">
+      <h2 class="h5">1) 登录 / 会话</h2>
+      <div class="row g-2 align-items-end">
+        <div class="col-md-3">
+          <label class="form-label" for="username">用户名（学号）</label>
+          <input id="username" class="form-control" autocomplete="username" />
+        </div>
+        <div class="col-md-3">
+          <label class="form-label" for="password">密码</label>
+          <input id="password" type="password" class="form-control" autocomplete="current-password" />
+        </div>
+        <div class="col-md-3">
+          <label class="form-label" for="sessionId">PHPSESSID（可手动填）</label>
+          <input id="sessionId" class="form-control" />
+        </div>
+        <div class="col-md-3 d-flex gap-2">
+          <button id="loginBtn" class="btn btn-primary">账号密码登录</button>
+          <button id="saveSessionBtn" class="btn btn-outline-secondary">使用当前会话</button>
+          <button id="clearBtn" class="btn btn-outline-danger">清除</button>
+        </div>
+      </div>
+      <div id="loginStatus" class="mt-2 text-muted"></div>
+    </div>
+  </div>
+
+  <div class="row g-3">
+    <div class="col-lg-4">
+      <div class="card">
+        <div class="card-body">
+          <div class="d-flex justify-content-between align-items-center mb-2">
+            <h2 class="h5 mb-0">2) 会话列表</h2>
+            <button id="refreshListBtn" class="btn btn-sm btn-outline-primary">刷新</button>
+          </div>
+          <div id="conversationList" class="list-group message-list"></div>
+        </div>
+      </div>
+    </div>
+    <div class="col-lg-8">
+      <div class="card mb-3">
+        <div class="card-body">
+          <div class="d-flex justify-content-between align-items-center mb-2">
+            <h2 class="h5 mb-0">3) 对话内容</h2>
+            <button id="refreshMessageBtn" class="btn btn-sm btn-outline-primary">刷新</button>
+          </div>
+          <div id="currentTarget" class="text-muted mb-2">请先选择一个会话。</div>
+          <div id="messageList" class="message-list"></div>
+        </div>
+      </div>
+      <div class="card">
+        <div class="card-body">
+          <h2 class="h5">4) 发送消息 / 图片</h2>
+          <div class="mb-2">
+            <textarea id="messageInput" class="form-control" rows="4" placeholder="输入消息。粘贴截图会自动上传并插入图片 Markdown。"></textarea>
+          </div>
+          <div class="d-flex gap-2 align-items-center">
+            <button id="sendBtn" class="btn btn-success">发送</button>
+            <span id="sendStatus" class="text-muted"></span>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
+
+<script>
+const API_BASE = 'https://api.xmoj-bbs.me/';
+const STORAGE_KEY = 'xmoj-webui-session';
+
+const state = {
+  username: '',
+  sessionId: '',
+  selectedUser: '',
+  mode: 'direct'
+};
+
+const el = {
+  modeBanner: document.getElementById('modeBanner'),
+  username: document.getElementById('username'),
+  password: document.getElementById('password'),
+  sessionId: document.getElementById('sessionId'),
+  loginBtn: document.getElementById('loginBtn'),
+  saveSessionBtn: document.getElementById('saveSessionBtn'),
+  clearBtn: document.getElementById('clearBtn'),
+  loginStatus: document.getElementById('loginStatus'),
+  refreshListBtn: document.getElementById('refreshListBtn'),
+  conversationList: document.getElementById('conversationList'),
+  refreshMessageBtn: document.getElementById('refreshMessageBtn'),
+  currentTarget: document.getElementById('currentTarget'),
+  messageList: document.getElementById('messageList'),
+  messageInput: document.getElementById('messageInput'),
+  sendBtn: document.getElementById('sendBtn'),
+  sendStatus: document.getElementById('sendStatus')
+};
+
+function setStatus(msg, isError = false) {
+  el.loginStatus.className = isError ? 'mt-2 text-danger' : 'mt-2 text-muted';
+  el.loginStatus.textContent = msg;
+}
+function setSendStatus(msg, isError = false) {
+  el.sendStatus.className = isError ? 'text-danger' : 'text-muted';
+  el.sendStatus.textContent = msg;
+}
+function escapeHtml(text) {
+  const div = document.createElement('div');
+  div.textContent = text;
+  return div.innerHTML;
+}
+
+function persistSession() {
+  sessionStorage.setItem(STORAGE_KEY, JSON.stringify({ username: state.username, sessionId: state.sessionId }));
+}
+function loadSession() {
+  try {
+    const parsed = JSON.parse(sessionStorage.getItem(STORAGE_KEY) || '{}');
+    if (parsed.username && parsed.sessionId) {
+      state.username = parsed.username;
+      state.sessionId = parsed.sessionId;
+      el.username.value = parsed.username;
+      el.sessionId.value = parsed.sessionId;
+      setStatus('已恢复当前标签页会话。');
+    }
+  } catch {
+    sessionStorage.removeItem(STORAGE_KEY);
+  }
+}
+function clearAll() {
+  state.username = '';
+  state.sessionId = '';
+  state.selectedUser = '';
+  sessionStorage.removeItem(STORAGE_KEY);
+  el.password.value = '';
+  el.username.value = '';
+  el.sessionId.value = '';
+  el.messageInput.value = '';
+  el.conversationList.innerHTML = '';
+  el.messageList.innerHTML = '';
+  el.currentTarget.textContent = '请先选择一个会话。';
+  setStatus('会话已清除。');
+  setSendStatus('');
+}
+
+function apiPayload(data) {
+  return {
+    Authentication: { SessionID: state.sessionId, Username: state.username },
+    Data: data,
+    Version: 'webui-0.2.0',
+    DebugMode: false
+  };
+}
+
+async function detectMode() {
+  try {
+    const res = await fetch('/__webui/health', { cache: 'no-store' });
+    if (!res.ok) throw new Error('health not ok');
+    state.mode = 'proxy';
+    el.modeBanner.className = 'alert alert-success py-2';
+    el.modeBanner.innerHTML = '当前为 <b>代理模式</b>：已启用同源后端代理，可直接用账号密码登录并稳定调用 API。';
+    el.loginBtn.disabled = false;
+  } catch {
+    state.mode = 'direct';
+    el.modeBanner.className = 'alert alert-warning py-2';
+    el.modeBanner.innerHTML = '当前为 <b>直连模式</b>：受浏览器跨域限制，账号密码登录可能不可用。建议运行 <code>node tools/webui-proxy.mjs</code> 后从本地地址访问。';
+  }
+}
+
+async function requestAction(action, data) {
+  if (!state.username || !state.sessionId) throw new Error('请先设置用户名与 PHPSESSID。');
+
+  if (state.mode === 'proxy') {
+    const res = await fetch(`/__webui/api/${action}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(apiPayload(data))
+    });
+    if (!res.ok) throw new Error('代理请求失败：HTTP ' + res.status);
+    return res.json();
+  }
+
+  const res = await fetch(API_BASE + action, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(apiPayload(data))
+  });
+  if (!res.ok) throw new Error('API 请求失败：HTTP ' + res.status);
+  return res.json();
+}
+
+async function loginByPassword() {
+  const username = el.username.value.trim();
+  const password = el.password.value;
+  if (!username || !password) throw new Error('用户名或密码不能为空。');
+
+  if (state.mode === 'proxy') {
+    const res = await fetch('/__webui/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ username, password })
+    });
+    const result = await res.json();
+    if (!res.ok || !result.success) throw new Error(result.message || '登录失败。');
+    state.username = result.username;
+    state.sessionId = result.sessionId;
+    el.username.value = state.username;
+    el.sessionId.value = state.sessionId;
+    el.password.value = '';
+    persistSession();
+    setStatus('登录成功，会话已更新。');
+    return;
+  }
+
+  const params = new URLSearchParams();
+  params.set('user_id', username);
+  params.set('password', md5(password));
+  await fetch('https://www.xmoj.tech/login.php', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: params.toString(),
+    credentials: 'include'
+  });
+  throw new Error('直连模式下浏览器无法读取跨域 Set-Cookie，请手动填写 PHPSESSID，或改用代理模式。');
+}
+
+function formatTime(ts) {
+  const d = new Date(ts);
+  return Number.isNaN(d.getTime()) ? String(ts || '') : d.toLocaleString();
+}
+function renderContent(content) {
+  const escaped = escapeHtml(content || '');
+  return escaped.replace(/!\[.*?\]\((https?:\/\/[^)]+)\)/g, '<img class="image-preview" src="$1" alt="image" loading="lazy">');
+}
+
+async function refreshConversationList() {
+  setStatus('正在刷新会话列表...');
+  const result = await requestAction('GetMailList', {});
+  if (!result.Success) throw new Error(result.Message || '获取会话列表失败');
+  const list = result.Data?.MailList || [];
+  el.conversationList.innerHTML = '';
+  if (list.length === 0) {
+    el.conversationList.innerHTML = '<div class="text-muted">暂无会话</div>';
+  }
+  list.forEach(item => {
+    const btn = document.createElement('button');
+    btn.type = 'button';
+    btn.className = 'list-group-item list-group-item-action conversation-item';
+    if (item.OtherUser === state.selectedUser) btn.classList.add('active');
+    const unread = item.UnreadCount ? `<span class="badge text-bg-danger ms-1">${item.UnreadCount}</span>` : '';
+    btn.innerHTML = `<div class="fw-semibold">${escapeHtml(item.OtherUser)}${unread}</div>
+      <div class="small text-muted text-truncate">${escapeHtml((item.LastsMessage || '').replace(/!\[.*?\]\(.*?\)/g, '[image]'))}</div>
+      <div class="small text-muted">${formatTime(item.SendTime)}</div>`;
+    btn.addEventListener('click', async () => {
+      state.selectedUser = item.OtherUser;
+      await refreshConversationList();
+      await refreshMessages();
+    });
+    el.conversationList.appendChild(btn);
+  });
+  setStatus('会话列表已更新。');
+}
+
+async function refreshMessages() {
+  if (!state.selectedUser) return;
+  el.currentTarget.textContent = `当前会话：${state.selectedUser}`;
+  await requestAction('ReadUserMailMention', { UserID: String(state.selectedUser) });
+  const result = await requestAction('GetMail', { UserID: String(state.selectedUser) });
+  if (!result.Success) throw new Error(result.Message || '获取消息失败');
+
+  const list = result.Data?.Mails || [];
+  el.messageList.innerHTML = '';
+  if (list.length === 0) {
+    el.messageList.innerHTML = '<div class="text-muted">暂无消息</div>';
+    return;
+  }
+
+  list.forEach(item => {
+    const wrap = document.createElement('div');
+    const isOut = item.FromUser === state.username;
+    wrap.className = `message-bubble ${isOut ? 'message-out' : 'message-in'}`;
+    wrap.innerHTML = `<div class="message-meta">${escapeHtml(item.FromUser)} → ${escapeHtml(item.ToUser)} · ${formatTime(item.SendTime)} · ${item.IsRead ? '已读' : '未读'}</div><div>${renderContent(item.Content || '')}</div>`;
+    el.messageList.appendChild(wrap);
+  });
+}
+
+async function uploadImage(file) {
+  const data = await new Promise((resolve, reject) => {
+    const reader = new FileReader();
+    reader.onload = () => resolve(reader.result);
+    reader.onerror = () => reject(new Error('读取图片失败'));
+    reader.readAsDataURL(file);
+  });
+  const result = await requestAction('UploadImage', { Image: data });
+  if (!result.Success) throw new Error(result.Message || '上传失败');
+  return `https://assets.xmoj-bbs.me/GetImage?ImageID=${result.Data.ImageID}`;
+}
+
+el.loginBtn.addEventListener('click', async () => {
+  try {
+    await loginByPassword();
+    await refreshConversationList();
+  } catch (error) {
+    setStatus(error.message, true);
+  }
+});
+el.saveSessionBtn.addEventListener('click', async () => {
+  try {
+    const username = el.username.value.trim();
+    const sessionId = el.sessionId.value.trim();
+    if (!username || !sessionId) throw new Error('请填写用户名和 PHPSESSID。');
+    state.username = username;
+    state.sessionId = sessionId;
+    persistSession();
+    setStatus('会话已保存。');
+    await refreshConversationList();
+  } catch (error) {
+    setStatus(error.message, true);
+  }
+});
+el.clearBtn.addEventListener('click', clearAll);
+el.refreshListBtn.addEventListener('click', async () => {
+  try { await refreshConversationList(); } catch (error) { setStatus(error.message, true); }
+});
+el.refreshMessageBtn.addEventListener('click', async () => {
+  try { await refreshMessages(); } catch (error) { setStatus(error.message, true); }
+});
+el.sendBtn.addEventListener('click', async () => {
+  try {
+    if (!state.selectedUser) throw new Error('请先选择会话对象。');
+    const content = el.messageInput.value.trim();
+    if (!content) throw new Error('消息不能为空。');
+    setSendStatus('发送中...');
+    const result = await requestAction('SendMail', { ToUser: String(state.selectedUser), Content: String(content) });
+    if (!result.Success) throw new Error(result.Message || '发送失败');
+    el.messageInput.value = '';
+    setSendStatus('发送成功。');
+    await refreshMessages();
+    await refreshConversationList();
+  } catch (error) {
+    setSendStatus(error.message, true);
+  }
+});
+
+el.messageInput.addEventListener('paste', async (event) => {
+  const items = event.clipboardData?.items || [];
+  for (const item of items) {
+    if (item.type.includes('image')) {
+      event.preventDefault();
+      try {
+        setSendStatus('正在上传图片...');
+        const imageUrl = await uploadImage(item.getAsFile());
+        const before = el.messageInput.value.slice(0, el.messageInput.selectionStart);
+        const after = el.messageInput.value.slice(el.messageInput.selectionEnd);
+        el.messageInput.value = `${before}![](${imageUrl})${after}`;
+        setSendStatus('图片上传成功，已插入消息。');
+      } catch (error) {
+        setSendStatus(error.message, true);
+      }
+      break;
+    }
+  }
+});
+
+(async () => {
+  await detectMode();
+  loadSession();
+})();
+</script>
+</body>
+</html>