CVE-2025-49576: 
PHP vulnerability analysis and mitigation

The vulnerability (CVE-2025-49576) affects the Citizen MediaWiki skin, which is designed to make extensions part of a cohesive experience. The vulnerability was discovered in June 2025 and involves stored Cross-Site Scripting (XSS) in search result messages. The issue specifically affects the citizen-search-noresults-title and citizen-search-noresults-desc system messages, which are inserted into raw HTML, allowing users with specific permissions to insert arbitrary HTML into the DOM. This vulnerability has been fixed in version 3.3.1 (GitHub Advisory, NVD).

The vulnerability stems from the improper handling of system messages in the Citizen MediaWiki skin. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted as raw HTML through the Mustache template, enabling arbitrary HTML injection into the DOM. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (GitHub Advisory, NVD).

The vulnerability impacts wikis where a user group has the editinterface permission but not the editsitejs user right. When exploited, it allows attackers to inject arbitrary HTML into the DOM, potentially leading to high confidentiality and integrity impacts, though availability is not affected (GitHub Advisory).

The vulnerability has been fixed in version 3.3.1 of the Citizen MediaWiki skin. The fix involves proper escaping of the system messages to prevent HTML injection. Users are advised to upgrade to this version to mitigate the vulnerability (NVD).