CVE-2025-49579: starcitizentools/citizen-skin allows stored XSS in menu heading message
All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
References
- github.com/StarCitizenTools/mediawiki-skins-Citizen
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
- github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g3cp-pq72-hjpv
- github.com/advisories/GHSA-g3cp-pq72-hjpv
- nvd.nist.gov/vuln/detail/CVE-2025-49579
Code Behaviors & Features
Detect and mitigate CVE-2025-49579 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →