CVE-2025-21612: Extension:TabberNeue vulnerable to Cross-site Scripting
There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users.
Edit: Only the first XSS can be reproduced in production.
References
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j
- github.com/advisories/GHSA-4x6x-8rm8-c37j
- nvd.nist.gov/vuln/detail/CVE-2025-21612
Code Behaviors & Features
Detect and mitigate CVE-2025-21612 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →