Arbitrary HTML Injection in TabberNeue MediaWiki Extension by StarCitizenTools
CVE-2025-53093

8.6HIGH

Key Information:

Vendor

Starcitizentools

Status
Mediawiki-extensions-tabberneue
Vendor
CVE Published:
27 June 2025

What is CVE-2025-53093?

The TabberNeue extension for MediaWiki contains a vulnerability that allows users to inject arbitrary HTML code into the DOM. This weakness arises from improper handling of attributes in the <tabber> tag. Due to this flaw, attackers can exploit the system by inserting malicious scripts or content, potentially leading to unauthorized access or data manipulation. The issue has been addressed in version 3.1.1, which includes a patch. It is crucial for users of the affected versions to upgrade to the latest release to mitigate this risk.

Affected Version(s)

mediawiki-extensions-TabberNeue >= 3.0.0, < 3.1.1

References

https://github.com/StarCitizenTools/mediawiki-extensions-...
x_refsource_CONFIRM
https://github.com/StarCitizenTools/mediawiki-extensions-...
x_refsource_MISC
https://github.com/StarCitizenTools/mediawiki-extensions-...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-53093 : Arbitrary HTML Injection in TabberNeue MediaWiki Extension by StarCitizenTools