Stored XSS Vulnerability in MsUpload Extension for MediaWiki
CVE-2025-7362

Currently unrated

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Msupload Extension
Vendor: CVE Published:; 8 July 2025

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2025-7362?

The MsUpload extension for MediaWiki contains a vulnerability allowing stored XSS via the msu-continue system message. This issue arises when users upload a file with the same name twice, leading to the injection of unsafe content into the DOM without adequate sanitization, potentially compromising the security of the web application and its users.

Affected Version(s)

Mediawiki - MsUpload extension 1.39.x < 1.39.13

Mediawiki - MsUpload extension 1.42.x < 1.42.7

Mediawiki - MsUpload extension 1.43.x < 1.43.2

References

https://phabricator.wikimedia.org/T394864

https://gerrit.wikimedia.org/r/q/Icf4c0a5a936926ea887ca2e...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Jul 8, 2025