PT-2026-55481 · Packagist · Mediawiki/Maps

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-52854

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display map parser function when using the leaflet service.

Details

The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243

PoC

Preview the following wikitext, using the default configuration options of the extension:
{{#display map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}

Impact

Stored XSS can be performed by any user with the edit permission.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-52854
GHSA-4H7G-5542-V3FC

Affected Products

Mediawiki/Maps