Cross-Site Scripting Vulnerability in Citizen MediaWiki Skin
CVE-2025-49575

6.5MEDIUM

Key Information:

Vendor: Starcitizentools
Status: Mediawiki-skins-citizen
Vendor: CVE Published:; 12 June 2025

🔔 Create Starcitizentools Vulnerability Alert

What is CVE-2025-49575?

The Citizen MediaWiki skin contains a vulnerability that permits the injection of arbitrary HTML into the Document Object Model (DOM). This occurs because multiple system messages are inserted as raw HTML into the CommandPaletteFooter, which can be manipulated by users with the 'editinterface' permission but without 'editsitejs' rights. This flaw may lead to cross-site scripting attacks, putting the usability and security of impacted wikis at risk. The issue has been resolved in version 3.3.1.

Affected Version(s)

mediawiki-skins-Citizen >= 4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5, < 93c36ac778397e0e7c46cf7adb1e5d848265f1bd < 4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5, 93c36ac778397e0e7c46cf7adb1e5d848265f1bd

mediawiki-skins-Citizen >= 3.2.0, < 3.3.1 < 3.2.0, 3.3.1