CVE-2025-49576 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the Citizen skin for MediaWiki developed by StarCitizenTools. The vulnerability arises from improper neutralization of input during web page generation, specifically in the handling of two system messages: citizen-search-noresults-title and citizen-search-noresults-desc. These messages are inserted directly into raw HTML without adequate sanitization or encoding, allowing any user with permission to edit these messages to inject arbitrary HTML and JavaScript code into the Document Object Model (DOM) of the rendered page. This flaw exists in versions of the mediawiki-skins-Citizen skin from 2.31.0 up to but not including 3.3.1, and also in certain Git commit ranges prior to the 3.3.1 fix. The vulnerability requires the attacker to have high privileges (PR:H) to edit system messages but does not require any user interaction (UI:N) for exploitation once the malicious content is inserted. The attack vector is network-based (AV:N), meaning exploitation can be done remotely over the network. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The impact affects confidentiality and integrity (C:H/I:H) but not availability (A:N). Since the malicious code is injected into pages viewed by other users, successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser session. No known exploits are currently reported in the wild. The vulnerability was publicly disclosed on June 12, 2025, and fixed in version 3.3.1 of the Citizen skin. The root cause is the failure to properly sanitize or encode user-controlled content inserted into HTML, a common XSS vector in web applications and extensions that dynamically generate page content.

For European organizations using MediaWiki with the Citizen skin, this vulnerability poses a significant risk to internal knowledge bases, documentation portals, and collaborative platforms. Since exploitation requires high privileges to edit system messages, the threat is primarily insider or compromised privileged user scenarios. However, once exploited, the injected scripts can affect any user accessing the affected MediaWiki instance, potentially leading to credential theft, session hijacking, or unauthorized actions performed on behalf of legitimate users. This can result in data breaches, intellectual property theft, and disruption of internal communications. Organizations in sectors with high reliance on MediaWiki for documentation, such as technology firms, research institutions, and government agencies, could face reputational damage and compliance issues under GDPR if personal data is compromised. The vulnerability does not impact availability directly but undermines trust in the integrity and confidentiality of the platform. Given the medium severity and the requirement for privileged access, the risk is moderate but should not be underestimated in environments where MediaWiki is widely used for sensitive or critical information.

1. Immediate upgrade to mediawiki-skins-Citizen version 3.3.1 or later, where the vulnerability is fixed. 2. Restrict and audit permissions for editing system messages, limiting this capability to a minimal number of trusted administrators. 3. Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS payloads. 4. Regularly review and sanitize all user-editable content, especially system messages and templates, to prevent injection of malicious code. 5. Monitor MediaWiki logs for unusual edits to system messages or other high-privilege content areas. 6. Educate administrators about the risks of XSS and the importance of cautious editing of system messages. 7. Consider deploying web application firewalls (WAF) with rules tuned to detect and block XSS attempts targeting MediaWiki instances. 8. Conduct periodic security assessments and penetration tests focusing on privileged user functions within MediaWiki environments.