Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service.
The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243
Preview the following wikitext, using the default configuration options of the extension:
{{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}}
Stored XSS can be performed by any user with the edit permission.
{
"github_reviewed_at": "2026-07-02T17:51:24Z",
"nvd_published_at": null,
"github_reviewed": true,
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"severity": "HIGH"
}