CVE-2025-49577: starcitizentools/citizen-skin allows stored XSS in preference menu heading messages
Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
References
- github.com/StarCitizenTools/mediawiki-skins-Citizen
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/a741639085d70c22a9f49890542a142a223bf981
- github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-jwr7-992g-68mh
- github.com/advisories/GHSA-jwr7-992g-68mh
- nvd.nist.gov/vuln/detail/CVE-2025-49577
Code Behaviors & Features
Detect and mitigate CVE-2025-49577 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →