CVE-2025-49575

Name of the Vulnerable Software and Affected Versions mediawiki-skins-Citizen versions prior to 3.3.1

Description The issue affects MediaWiki skin Citizen, allowing stored XSS in Command Palette tip messages. This occurs because multiple system messages are inserted into the CommandPaletteFooter as raw HTML, enabling anyone who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the editinterface but not the editsitejs user right.

Recommendations For versions prior to 3.3.1, update to version 3.3.1 to resolve the issue. As a temporary workaround, consider restricting the editinterface user right to prevent unauthorized editing of system messages.