CVE-2025-59332 HIGH

CVE-2025-59332: 3DAlloy allows stored XSS through attributes provided to the 3d parser tag/function

Vendor Dolfinus
Product 3DAlloy
Weakness CWE-79 · XSS
Published September 15, 2025
Last update September 15, 2025

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not sanitized, which means that arbitrary JavaScript can be inserted and executed.

Key dates

02Disclosure timeline

September 15, 2025 CVE published
September 15, 2025 Record updated