CVE-2025-7363

Published Jul 8, 2025

Last updated 8 days ago

CVSS medium 5.4

Overview

Description
The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an HtmlArmor object without sanitization and rendered directly into the page header, allowing attackers to inject arbitrary JavaScript. This issue affects Mediawiki - TitleIcon extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Source
c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.4
Impact score
2.7
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

c4f26cc8-17ff-4c99-b5e2-38fc1793eacc
CWE-79

Social media

Hype score
Not currently trending

  1. CVE-2025-7363 The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an Ht… https://t.co/6sYkMhkaul

    @CVEnew

    8 Jul 2025

    363 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.