<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mediawiki/Maps (&lt; 12.1.3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mediawiki/maps--12.1.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:51:24 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mediawiki/maps--12.1.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>MediaWiki Maps Stored XSS via display_map `overlays` Parameter (CVE-2026-52854)</title><link>https://feed.craftedsignal.io/briefs/2026-07-mediawiki-maps-xss/</link><pubDate>Fri, 03 Jul 2026 11:51:24 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mediawiki-maps-xss/</guid><description>A high-severity stored cross-site scripting (XSS) vulnerability, CVE-2026-52854, exists in the MediaWiki Maps extension (versions prior to 12.1.3), allowing any authenticated user with edit permissions to inject malicious JavaScript into the `overlays` parameter of the `display_map` parser function, leading to arbitrary client-side code execution in a victim's browser.</description><content:encoded><![CDATA[<p>This brief details CVE-2026-52854, a high-severity stored cross-site scripting (XSS) vulnerability discovered in the MediaWiki Maps extension, specifically affecting versions prior to 12.1.3. The vulnerability stems from improper handling of the <code>overlays</code> parameter within the <code>display_map</code> parser function when utilizing the 'leaflet' service. The Maps extension fails to adequately escape user-supplied overlay names before they are passed to the Leaflet JavaScript library, which then renders these unescaped inputs as HTML. This flaw allows any authenticated user with <code>edit</code> permissions to inject and store arbitrary client-side JavaScript code into wikitext. This code will then execute in the browser of any user viewing the affected page, potentially leading to session hijacking, credential theft, or further client-side attacks against visitors of the MediaWiki instance. The issue was published on 2026-07-02.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains authenticated access to a MediaWiki instance with <code>edit</code> permissions.</li>
<li>The attacker navigates to an existing wiki page or creates a new one to edit its content.</li>
<li>The attacker crafts and inserts malicious wikitext into the page content, specifically utilizing the <code>display_map</code> parser function.</li>
<li>Within the <code>display_map</code> function, the attacker sets the <code>service</code> parameter to <code>leaflet</code>.</li>
<li>The attacker injects a JavaScript payload (e.g., <code>&lt;img src=x onerror=&quot;alert(1);&quot;&gt;</code>) into the <code>overlays</code> parameter, like <code>overlays=OpenTopoMap.&lt;img src=x onerror=&quot;alert(1);&quot;&gt;</code>.</li>
<li>The attacker saves or previews the modified wiki page, causing the MediaWiki application to process the wikitext.</li>
<li>The Maps extension passes the unescaped <code>overlays</code> value directly to the Leaflet JavaScript library when rendering the map.</li>
<li>When a victim views the affected wiki page, their browser renders the malicious HTML supplied by the Leaflet library, executing the injected JavaScript code in the victim's browser context.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-52854 results in stored cross-site scripting, enabling an attacker with <code>edit</code> permissions to execute arbitrary JavaScript code in the context of a victim's browser. This can lead to various malicious outcomes, including session hijacking, defacement of web pages, redirection to phishing sites, or further client-side attacks designed to steal sensitive user data or credentials. While no specific victim count or targeted sectors are mentioned, any MediaWiki instance running the vulnerable Maps extension (versions prior to 12.1.3) is susceptible, potentially impacting all users who view pages containing the injected content.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-52854 immediately by updating the <code>composer/mediawiki/maps</code> extension to version 12.1.3 or higher.</li>
<li>Deploy the <code>Detect CVE-2026-52854 Exploitation Attempt — MediaWiki Maps XSS Injection</code> Sigma rule provided in this brief to your SIEM and tune for your environment.</li>
<li>Enable comprehensive web server logging to capture <code>cs-uri-query</code> and <code>cs-method</code> for all requests, especially those made to editing endpoints.</li>
<li>Implement a Web Application Firewall (WAF) to detect and block common XSS payloads in request parameters and body content.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>mediawiki</category><category>web-vulnerability</category><category>web-application</category></item></channel></rss>