TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.
{
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21612.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "d8c3db4e5935476e496d979fb01f775d3d3282e6"
},
{
"fixed": "f229cab099c69006e25d4bad3579954e481dc566"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "GitHub_M"
}