Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-7363

The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an HtmlArmor object without sanitization and rendered directly into the page header, allowing attackers to inject arbitrary JavaScript. This issue affects Mediawiki - TitleIcon extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Published

2025-07-08T18:15:46.913

Last Modified

2025-07-10T14:15:27.100

Status

Awaiting Analysis

Source

c4f26cc8-17ff-4c99-b5e2-38fc1793eacc

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

References

https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f02726ed24b1ae74429 (c4f26cc8-17ff-4c99-b5e2-38fc1793eacc)
https://gerrit.wikimedia.org/r/q/I2e8c73445172679634f6ec64d37cf82507dfa110 (c4f26cc8-17ff-4c99-b5e2-38fc1793eacc)
https://phabricator.wikimedia.org/T394721 (c4f26cc8-17ff-4c99-b5e2-38fc1793eacc)
https://phabricator.wikimedia.org/T394721 (134c704f-9b21-4f2e-91b3-4a467353bcc0)