MediaWiki Maps CVE-2026-52854
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Edit permission is required so PR:L; stored XSS needs a victim to view the page (UI:R) and executes in their browser beyond the wiki component (S:C) with typical session-scoped C:L/I:L.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service.
Details
The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243
PoC
Preview the following wikitext, using the default configuration options of the extension:
{{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}Impact
Stored XSS can be performed by any user with the edit permission.
AnalysisAI
{{#display_map}} parser function when the leaflet service is used. Overlay names are passed unescaped into Leaflet, which renders them as raw HTML, so a crafted overlay value executes in the browser of every user who views the page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an account with the MediaWiki 'edit' permission on a wiki running the Maps extension, and the payload must use the leaflet service via the {{#display_map}} parser function's 'overlays' parameter - this works under the extension's default configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, score 8.6) is internally inconsistent with the advisory's own impact statement, which says exploitation requires the 'edit' permission - that implies PR:L, not PR:N, and stored XSS normally requires a victim to view the page (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with edit rights on the wiki saves a page containing {{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}, storing the payload in the article. When any other user - including administrators - subsequently views or previews that page, the unescaped overlay name is rendered as HTML and the injected JavaScript executes in their session. … |
| Remediation | Upgrade the Maps extension to the fixed release referenced in GitHub advisory GHSA-4h7g-5542-v3fc (https://github.com/ProfessionalWiki/Maps/security/advisories/GHSA-4h7g-5542-v3fc); the input data does not contain an exact patched version number, so confirm the fixed version directly from that advisory before deploying via Composer. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
{{#display_map}} parser and assess exposure scope, particularly customer-facing or data-handling systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4h7g-5542-v3fc