Summary Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service. Details The maps extension doesn't escape o…
| CVE ID | CVE-2026-52854 |
| Vendor | composer |
| Affected Product | mediawiki/maps |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.6 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service.
The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML: https://github.com/ProfessionalWiki/Maps/blob/ca5139fabd75f3c34f47ea3fd161306506b053bc/resources/lib/leaflet/leaflet.js#L5243
Preview the following wikitext, using the default configuration options of the extension: `` {{#display_map:0,0|service=leaflet|overlays=OpenTopoMap. }} `
Stored XSS can be performed by any user with the edit` permission.
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.