Mina M. Edwar

**Name of the Vulnerable Software and Affected Versions** Wiki.js versions prior to 2.5.191 **Description** The issue exists due to mustache expressions being parsed by Vue during content injection, even when contained within a `<pre>` element. This allows a malicious user to stage a stored cross-site scripting attack by creating a crafted wiki page. The attacker can execute malicious JavaScript when the page is viewed by other users. **Recommendations** For versions prior to 2.5.191, update to version 2.5.191 or later, which includes the fix by adding the v-pre directive to all `<pre>` tags during the render. As a temporary workaround, consider restricting access to the `<pre>` element or disabling the mustache expressions in code blocks until the update is applied.