CVE-2026-52854HIGHCVSS 8.6

mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function

Published Jul 2, 2026·Updated Jul 2, 2026

Description

### Summary Stored XSS through wikitext can be performed by inserting malicious HTML into the `overlays` parameter of the `display_map` parser function when using the leaflet service. ### Details The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243 ### PoC Preview the following wikitext, using the default configuration options of the extension: ``` {{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}} ``` ### Impact Stored XSS can be performed by any user with the `edit` permission.

Affected Packages (1)

mediawiki/mapsCOMPOSER
Fixed in 12.1.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free