CVE-2025-53368 HIGH

CVE-2025-53368: Citizen is vulnerable to stored XSS attack in the legacy search bar

Vendor Starcitizentools
Product mediawiki-skins-Citizen
Weakness CWE-79 · XSS
Published July 3, 2025
Last update July 3, 2025

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This issue has been patched in version 3.4.0.

Key dates

02Disclosure timeline

July 3, 2025 CVE published
July 3, 2025 Record updated

Related vulnerabilities

04Related CVE