CVE-2025-21612 is a high-severity cross-site scripting (XSS) vulnerability affecting the TabberNeue extension for MediaWiki, specifically versions from 1.9.1 up to but not including 2.7.2. TabberNeue is used to create tabbed interfaces within MediaWiki pages. The vulnerability arises from improper neutralization of user-supplied input in the TabberTransclude.php file, where the page name parameter is not properly escaped before being output in the generated web page. This allows an attacker to inject malicious scripts via crafted page names, which are then executed in the context of users viewing the affected wiki pages. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags). The CVSS v3.1 base score is 8.6, indicating a high severity, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, and no user interaction needed. Successful exploitation can lead to significant confidentiality impact by stealing session cookies or other sensitive data, limited integrity impact, and availability impact through potential browser crashes or denial of service. The issue was fixed in version 2.7.2 of the extension. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and thus poses a risk to unpatched systems. Given the nature of MediaWiki deployments, this vulnerability can be exploited by unauthenticated remote attackers simply by convincing users to visit a maliciously crafted wiki page or link.

For European organizations using MediaWiki with the TabberNeue extension in vulnerable versions, the impact can be significant. Many public and private sector entities in Europe rely on MediaWiki for internal documentation, knowledge bases, and collaborative projects. An attacker exploiting this XSS vulnerability could execute arbitrary JavaScript in the context of users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. This is particularly concerning for organizations handling sensitive or regulated data, such as government agencies, financial institutions, and healthcare providers. The vulnerability could also be leveraged to deliver malware or conduct phishing attacks targeted at employees or partners. Additionally, the availability of the wiki platform could be disrupted if the injected scripts cause browser instability or denial of service. Given the ease of exploitation (no authentication or user interaction required beyond visiting a page), the threat is elevated for organizations with publicly accessible MediaWiki instances or those with large user bases. The lack of known exploits in the wild currently provides a window for proactive patching before widespread attacks occur.

European organizations should immediately assess their MediaWiki installations to determine if the TabberNeue extension is installed and identify the version in use. If the version is prior to 2.7.2, an upgrade to 2.7.2 or later should be performed without delay to apply the official fix. If upgrading is not immediately feasible, temporary mitigations include disabling the TabberNeue extension or restricting access to the wiki to trusted users only. Additionally, organizations should implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Regular security audits and input validation reviews should be conducted on custom MediaWiki extensions or configurations. User awareness training to recognize suspicious links and pages can also reduce the risk of exploitation. Monitoring web server logs and user activity for unusual patterns related to wiki page requests may help detect attempted exploitation. Finally, organizations should keep abreast of any emerging exploit reports or patches related to this vulnerability.