CVE-2025-49578

Name of the Vulnerable Software and Affected Versions Citizen versions prior to 3.3.1

Description The issue affects the Citizen MediaWiki skin, which integrates extensions into a cohesive experience. It allows users with the editinterface right to insert arbitrary HTML into the DOM by editing date messages returned by Language::userDate, potentially leading to security issues. This is particularly concerning for wikis where users have the editinterface but not the editsitejs user right.

Recommendations For versions prior to 3.3.1, update to version 3.3.1 to resolve the issue. As a temporary workaround, consider restricting the editinterface user right to minimize the risk of exploitation.