CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52854

highCVSS 8.6covered by 1 sourcefirst seen 2026-07-02
Summary Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service. Details The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243 PoC Preview the following wikitext, using the default configuration options of the extension: {{#display_map:0,0|service=leaflet|overlays=OpenTopoMap.<img src=x onerror="alert(1);">}} Impact Stored XSS can be performed by any user with the edit permission.

⚡ Watch CVE-2026-52854

Get an email if CVE-2026-52854 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52854

CVE.org record

Embed the live status

CVE-2026-52854 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52854 status](https://www.csirts.com/badge/CVE-2026-52854)](https://www.csirts.com/cve/CVE-2026-52854)