-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| starcitizentools/citizen-skin | composer | >= 2.31.0, < 3.3.1 | 3.3.1 |
Miggo AIRoot Cause AnalysisThe vulnerability (CVE-2025-49576, GHSA-86xf-2mgp-gv3g) is a stored Cross-Site Scripting (XSS) issue in the StarCitizenTools/mediawiki-skins-Citizen MediaWiki skin. It occurs because user-editable system messages, specifically citizen-search-noresults-title and citizen-search-noresults-desc, were rendered unescaped in the search results placeholder when a search yielded no results.
The core of the vulnerability lay in the resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache template. Before the fix, this template used {{{.}}} (triple-stash) for rendering the title and description messages. In Mustache templating, triple-stashes indicate that the variable should be rendered as raw, unescaped HTML.
The JavaScript function searchResults.getPlaceholderHTML, located in resources/skins.citizen.search/searchResults.js, is responsible for fetching these system messages (using mw.message(...).text()) and then passing them to be rendered by the TypeaheadPlaceholder.mustache template. The mw.message().text() method retrieves the plain text content of the message, which, if crafted maliciously, would contain HTML tags.
When a user performs a search that yields no results, the searchResults.getPlaceholderHTML function is invoked. It prepares the data containing the potentially malicious title and description and passes it to the Mustache template engine. The template then, due to the triple-stashes, injects this raw HTML into the DOM.
The fix, primarily implemented in commit 93c36ac778397e0e7c46cf7adb1e5d848265f1bd, involved changing the triple-stashes {{{.}}} to double-stashes {{.}} in the TypeaheadPlaceholder.mustache template. Double-stashes ensure that the content is HTML-escaped before rendering, thus neutralizing the XSS vector.
Commit a0296afaedbe1a277337a2d8f1da83cb3a79b9ab was part of a larger refactor that shows searchResults.getPlaceholderHTML being used to provide data for this placeholder template.
Therefore, searchResults.getPlaceholderHTML is identified as the vulnerable function because it processes the user-controllable, potentially malicious input (the system messages) and directs it to the component (the Mustache template) that, prior to patching, rendered it unsafely.
PHPPHPKEV Misses 88% of Exploited CVEs- Get the report