Skip to main content

MediaWiki Maps CVE-2026-52854

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 https://github.com/ProfessionalWiki/Maps GHSA-4h7g-5542-v3fc
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
5.4 MEDIUM

Edit permission is required so PR:L; stored XSS needs a victim to view the page (UI:R) and executes in their browser beyond the wiki component (S:C) with typical session-scoped C:L/I:L.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 18:17 vuln.today
CVE Published
Jul 02, 2026 - 17:51 github-advisory
HIGH 8.6

DescriptionGitHub Advisory

Summary

Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service.

Details

The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243

PoC

Preview the following wikitext, using the default configuration options of the extension:

{{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}

Impact

Stored XSS can be performed by any user with the edit permission.

AnalysisAI

{{#display_map}} parser function when the leaflet service is used. Overlay names are passed unescaped into Leaflet, which renders them as raw HTML, so a crafted overlay value executes in the browser of every user who views the page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain wiki account with edit permission
Delivery
Save page with crafted overlays value in display_map
Exploit
Payload stored in wikitext unescaped
Execution
Victim views or previews page
Persist
Leaflet renders overlay name as HTML
Impact
JavaScript executes in victim browser session

Vulnerability AssessmentAI

Exploitation Requires an account with the MediaWiki 'edit' permission on a wiki running the Maps extension, and the payload must use the leaflet service via the {{#display_map}} parser function's 'overlays' parameter - this works under the extension's default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, score 8.6) is internally inconsistent with the advisory's own impact statement, which says exploitation requires the 'edit' permission - that implies PR:L, not PR:N, and stored XSS normally requires a victim to view the page (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with edit rights on the wiki saves a page containing {{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}, storing the payload in the article. When any other user - including administrators - subsequently views or previews that page, the unescaped overlay name is rendered as HTML and the injected JavaScript executes in their session. …
Remediation Upgrade the Maps extension to the fixed release referenced in GitHub advisory GHSA-4h7g-5542-v3fc (https://github.com/ProfessionalWiki/Maps/security/advisories/GHSA-4h7g-5542-v3fc); the input data does not contain an exact patched version number, so confirm the fixed version directly from that advisory before deploying via Composer. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

{{#display_map}} parser and assess exposure scope, particularly customer-facing or data-handling systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52854 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy