EXECUTIVE SUMMARY:
CVE-2026-52854 with a CVSS score of 8.6 is a stored cross-site scripting (XSS) vulnerability affecting the composer/mediawiki/maps package. This technical flaw arises because the extension fails to adequately sanitize user-supplied input within the overlays parameter of the display_map parser function, specifically when the Leaflet mapping service is in use. Consequently, an attacker possessing standard edit permissions can inject malicious HTML or JavaScript payloads directly into wikitext, which the Leaflet library subsequently renders without proper escaping. Successful exploitation of this issue grants the attacker the ability to execute arbitrary code within the browser session of any user viewing the compromised map page. This capability presents severe business risks, including the potential theft of session cookies, credential harvesting, or defacement of the platform, ultimately undermining user trust and system integrity. To exploit this vulnerability, the adversary must have the ability to edit content on the MediaWiki instance, and the application must be configured to utilize the vulnerable Leaflet service component.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-52854 with a CVSS score of 8.6 is a stored cross-site scripting (XSS) vulnerability affecting the composer/mediawiki/maps package. This technical flaw arises because the extension fails to adequately sanitize user-supplied input within the overlays parameter of the display_map parser function, specifically when the Leaflet mapping service is in use. Consequently, an attacker possessing standard edit permissions can inject malicious HTML or JavaScript payloads directly into wikitext, which the Leaflet library subsequently renders without proper escaping. Successful exploitation of this issue grants the attacker the ability to execute arbitrary code within the browser session of any user viewing the compromised map page. This capability presents severe business risks, including the potential theft of session cookies, credential harvesting, or defacement of the platform, ultimately undermining user trust and system integrity. To exploit this vulnerability, the adversary must have the ability to edit content on the MediaWiki instance, and the application must be configured to utilize the vulnerable Leaflet service component.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-4h7g-5542-v3fc