CVE-2025-49575: Citizen skin vulnerable to stored XSS through multiple system messages

June 11, 2025 (updated June 13, 2025)

Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

References

github.com/StarCitizenTools/mediawiki-skins-Citizen
github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5
github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65
github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87
github.com/advisories/GHSA-4c2h-67qq-vm87
nvd.nist.gov/vuln/detail/CVE-2025-49575

Code Behaviors & Features

Detect and mitigate CVE-2025-49575 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →