PT-2026-55481 · Packagist · Mediawiki/Maps
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-52854
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
Summary
Stored XSS through wikitext can be performed by inserting malicious HTML into the
overlays parameter of the display map parser function when using the leaflet service.Details
The maps extension doesn't escape overlay names before passing them to leaflet.
Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243
PoC
Preview the following wikitext, using the default configuration options of the extension:
{{#display map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}Impact
Stored XSS can be performed by any user with the
edit permission.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mediawiki/Maps