In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.
{ "severity": "Medium", "cpes": [ "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*" ] }