GHSA-4h7g-5542-v3fcHighCVSS 8.6

mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function

Published
July 2, 2026
Last Modified
July 2, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service.

Details

The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243

PoC

Preview the following wikitext, using the default configuration options of the extension:

{{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}

Impact

Stored XSS can be performed by any user with the edit permission.

🎯 Affected products1

  • composer/mediawiki/maps:< 12.1.3

🔗 References (2)