CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-4h7g-5542-v3fc: mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function

highCVSS 8.6CVE-2026-52854
Summary Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service. Details The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243 PoC Preview the following wikitext, using the default configuration options of the extension: {{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}} Impact Stored XSS can be performed by any user with the edit permission.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.6
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-4h7g-5542-v3fc

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-52854coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories