CVE-2025-21612 HIGH

CVE-2025-21612: Cross-site Scripting in TabberTransclude in Extension:TabberNeue

Vendor Starcitizentools
Product mediawiki-extensions-TabberNeue
Weakness CWE-79 · XSS
Published January 6, 2025
Last update August 26, 2025
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.

Key dates

02Disclosure timeline

January 6, 2025 CVE published
August 26, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-29510 Hereta ETH-IMC408M Stored XSS via Device Name CVE-2024-10185 StreamWeasels YouTube Integration <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via sw-youtube-embed Shortcode CVE-2025-24726 WordPress Contact Form 7 Widget plugin <= 1.2.1 - Stored Cross Site Scripting (XSS) vulnerability CVE-2025-32680 WordPress Review Stream plugin <= 1.6.7 - Cross Site Scripting (XSS) vulnerability CVE-2024-37409 WordPress PowerPack Lite for Beaver Builder plugin <= 1.3.0.4 - Cross Site Scripting (XSS) vulnerability