CVE-2025-49576 MEDIUM

CVE-2025-49576: Citizen allows stored XSS in search no result messages

Vendor Starcitizentools
Product mediawiki-skins-Citizen
Weakness CWE-79 · XSS
Published June 12, 2025
Last update June 12, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.

Key dates

02Disclosure timeline

June 12, 2025 CVE published
June 12, 2025 Record updated