CVE-2025-49576: starcitizentools/citizen-skin allows stored XSS in search no result messages
The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
References
- github.com/StarCitizenTools/mediawiki-skins-Citizen
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/a0296afaedbe1a277337a2d8f1da83cb3a79b9ab
- github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-86xf-2mgp-gv3g
- github.com/advisories/GHSA-86xf-2mgp-gv3g
- nvd.nist.gov/vuln/detail/CVE-2025-49576
Code Behaviors & Features
Detect and mitigate CVE-2025-49576 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →