Description

The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an HtmlArmor object without sanitization and rendered directly into the page header, allowing attackers to inject arbitrary JavaScript. This issue affects Mediawiki - TitleIcon extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

INFO

Published Date :

2025-07-08T17:27:17.643Z

Last Modified :

2025-07-10T14:07:16.818Z

Source :

wikimedia-foundation
AFFECTED PRODUCTS

The following products are affected by CVE-2025-7363 vulnerability.

Vendors Products
Mediawiki
  • Mediawiki
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-7363.

URL Resource
https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f02726ed24b1ae74429 cve-icon cve-icon
https://gerrit.wikimedia.org/r/q/I2e8c73445172679634f6ec64d37cf82507dfa110 cve-icon cve-icon
https://phabricator.wikimedia.org/T394721 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact