CVE-2025-7363

MEDIUM

MediaWiki TitleIcon <1.39.13-1.42.7-1.43.2 - XSS

Title source: llm
STIX 2.1

Description

The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an HtmlArmor object without sanitization and rendered directly into the page header, allowing attackers to inject arbitrary JavaScript. This issue affects Mediawiki - TitleIcon extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Scores

CVSS v3 5.4
EPSS 0.0020
EPSS Percentile 10.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
Wikimedia Foundation/Mediawiki - TitleIcon extension 1.39.x - 1.39.13
Wikimedia Foundation/Mediawiki - TitleIcon extension 1.42.x - 1.42.7
Wikimedia Foundation/Mediawiki - TitleIcon extension 1.43.x - 1.43.2
Published Jul 08, 2025
Tracked Since Feb 18, 2026