PT-2026-55481 · Packagist · Mediawiki/Maps

Publicado

2026-07-02

·

Atualizado

2026-07-02

·

CVE-2026-52854

CVSS v3.1

8.6

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display map parser function when using the leaflet service.

Details

The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243

PoC

Preview the following wikitext, using the default configuration options of the extension:
{{#display map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}

Impact

Stored XSS can be performed by any user with the edit permission.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-52854
GHSA-4H7G-5542-V3FC

Produtos afetados

Mediawiki/Maps