GHSA-4h7g-5542-v3fc

Suggest an improvement
Source
https://github.com/advisories/GHSA-4h7g-5542-v3fc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-4h7g-5542-v3fc/GHSA-4h7g-5542-v3fc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4h7g-5542-v3fc
Aliases
  • CVE-2026-52854
Published
2026-07-02T17:51:24Z
Modified
2026-07-02T18:00:19.765546244Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function
Details

Summary

Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service.

Details

The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243

PoC

Preview the following wikitext, using the default configuration options of the extension:

{{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}

Impact

Stored XSS can be performed by any user with the edit permission.

Database specific
{
    "github_reviewed_at": "2026-07-02T17:51:24Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ],
    "severity": "HIGH"
}
References

Affected packages

Packagist / mediawiki/maps

Package

Name
mediawiki/maps
Purl
pkg:composer/mediawiki%2Fmaps

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.1.3

Affected versions

3.*
3.0-RC2
3.0
3.0.1
3.1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.3.0
3.4.0
3.4.1
3.5.0
3.6.0
3.7.0
3.8.0
3.8.1
3.8.2
4.*
4.0.0-RC1
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.1.0
4.2.0
4.2.1
4.3.0
4.4.0
5.*
5.0.0
5.0.1
5.0.2
5.1.0
5.2.0
5.3.0
5.4.0
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.6.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.2.0
6.2.1
6.2.2
6.3.0
7.*
7.0.0
7.1.0
7.2.0
7.3.0
7.3.1
7.3.2
7.3.3
7.4.0
7.4.1
7.5.0
7.6.0
7.7.0
7.8.0
7.8.1
7.8.2
7.8.3
7.9.0
7.10.0
7.11.0
7.12.0
7.12.1
7.12.2
7.13.0
7.14.0
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.15.6
7.16.0
7.17.0
7.17.1
7.17.2
7.18.0
7.19.0
7.20.0
7.20.1
8.*
8.0.0
9.*
9.0.0
9.0.1
9.0.2
9.0.3
9.0.4
9.0.5
9.0.6
9.0.7
10.*
10.0.0
10.1.0
10.1.1
10.1.2
10.2.0
10.3.0
11.*
11.0.0
11.0.1
12.*
12.0.0
12.1.0
12.1.1
12.1.2

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-4h7g-5542-v3fc/GHSA-4h7g-5542-v3fc.json"