{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mediawiki/maps--12.1.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mediawiki/maps (\u003c 12.1.3)"],"_cs_severities":["high"],"_cs_tags":["xss","mediawiki","web-vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["MediaWiki"],"content_html":"\u003cp\u003eThis brief details CVE-2026-52854, a high-severity stored cross-site scripting (XSS) vulnerability discovered in the MediaWiki Maps extension, specifically affecting versions prior to 12.1.3. The vulnerability stems from improper handling of the \u003ccode\u003eoverlays\u003c/code\u003e parameter within the \u003ccode\u003edisplay_map\u003c/code\u003e parser function when utilizing the 'leaflet' service. The Maps extension fails to adequately escape user-supplied overlay names before they are passed to the Leaflet JavaScript library, which then renders these unescaped inputs as HTML. This flaw allows any authenticated user with \u003ccode\u003eedit\u003c/code\u003e permissions to inject and store arbitrary client-side JavaScript code into wikitext. This code will then execute in the browser of any user viewing the affected page, potentially leading to session hijacking, credential theft, or further client-side attacks against visitors of the MediaWiki instance. The issue was published on 2026-07-02.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a MediaWiki instance with \u003ccode\u003eedit\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to an existing wiki page or creates a new one to edit its content.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and inserts malicious wikitext into the page content, specifically utilizing the \u003ccode\u003edisplay_map\u003c/code\u003e parser function.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003edisplay_map\u003c/code\u003e function, the attacker sets the \u003ccode\u003eservice\u003c/code\u003e parameter to \u003ccode\u003eleaflet\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a JavaScript payload (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=\u0026quot;alert(1);\u0026quot;\u0026gt;\u003c/code\u003e) into the \u003ccode\u003eoverlays\u003c/code\u003e parameter, like \u003ccode\u003eoverlays=OpenTopoMap.\u0026lt;img src=x onerror=\u0026quot;alert(1);\u0026quot;\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker saves or previews the modified wiki page, causing the MediaWiki application to process the wikitext.\u003c/li\u003e\n\u003cli\u003eThe Maps extension passes the unescaped \u003ccode\u003eoverlays\u003c/code\u003e value directly to the Leaflet JavaScript library when rendering the map.\u003c/li\u003e\n\u003cli\u003eWhen a victim views the affected wiki page, their browser renders the malicious HTML supplied by the Leaflet library, executing the injected JavaScript code in the victim's browser context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-52854 results in stored cross-site scripting, enabling an attacker with \u003ccode\u003eedit\u003c/code\u003e permissions to execute arbitrary JavaScript code in the context of a victim's browser. This can lead to various malicious outcomes, including session hijacking, defacement of web pages, redirection to phishing sites, or further client-side attacks designed to steal sensitive user data or credentials. While no specific victim count or targeted sectors are mentioned, any MediaWiki instance running the vulnerable Maps extension (versions prior to 12.1.3) is susceptible, potentially impacting all users who view pages containing the injected content.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-52854 immediately by updating the \u003ccode\u003ecomposer/mediawiki/maps\u003c/code\u003e extension to version 12.1.3 or higher.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect CVE-2026-52854 Exploitation Attempt — MediaWiki Maps XSS Injection\u003c/code\u003e Sigma rule provided in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging to capture \u003ccode\u003ecs-uri-query\u003c/code\u003e and \u003ccode\u003ecs-method\u003c/code\u003e for all requests, especially those made to editing endpoints.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to detect and block common XSS payloads in request parameters and body content.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:51:24Z","date_published":"2026-07-03T11:51:24Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mediawiki-maps-xss/","summary":"A high-severity stored cross-site scripting (XSS) vulnerability, CVE-2026-52854, exists in the MediaWiki Maps extension (versions prior to 12.1.3), allowing any authenticated user with edit permissions to inject malicious JavaScript into the `overlays` parameter of the `display_map` parser function, leading to arbitrary client-side code execution in a victim's browser.","title":"MediaWiki Maps Stored XSS via display_map `overlays` Parameter (CVE-2026-52854)","url":"https://feed.craftedsignal.io/briefs/2026-07-mediawiki-maps-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Mediawiki/Maps (\u003c 12.1.3)","version":"https://jsonfeed.org/version/1.1"}