CVE-2025-53093: TabberNeue vulnerable to Stored XSS through wikitext
Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the <tabber> tag.
References
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/templates/Tabs.mustache
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/4cdf217ef96da74a1503d1dd0bb0ed898fc2a612
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/62ce0fcdf32bd3cfa77f92ff6b940459a14315fa
- github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-jfj7-249r-7j2m
- github.com/advisories/GHSA-jfj7-249r-7j2m
- nvd.nist.gov/vuln/detail/CVE-2025-53093
Code Behaviors & Features
Detect and mitigate CVE-2025-53093 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →