CVE-2025-7362

MEDIUM

MediaWiki MsUpload <1.39.13-1.42.7-1.43.2 - XSS

Title source: llm
STIX 2.1

Description

The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. The vulnerability occurs in the file upload UI when the same filename is uploaded twice. This issue affects Mediawiki - MsUpload extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Scores

CVSS v3 5.4
EPSS 0.0017
EPSS Percentile 6.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
Wikimedia Foundation/Mediawiki - MsUpload extension 1.39.x - 1.39.13
Wikimedia Foundation/Mediawiki - MsUpload extension 1.42.x - 1.42.7
Wikimedia Foundation/Mediawiki - MsUpload extension 1.43.x - 1.43.2
Published Jul 08, 2025
Tracked Since Feb 18, 2026