CVE-2025-21612: Extension:TabberNeue vulnerable to Cross-site Scripting

There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users.

Edit: Only the first XSS can be reproduced in production.

References

Detect and mitigate CVE-2025-21612 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →