PatchSiren cyber security CVE debrief
CVE-2025-10354 Semantic MediaWiki CVE debrief
A reflected Cross-Site Scripting (XSS) vulnerability exists in Semantic MediaWiki, specifically affecting the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability allows an attacker to execute arbitrary JavaScript code in a victim's browser by tricking them into visiting a maliciously crafted URL. Successful exploitation could enable session cookie theft or unauthorized actions performed on behalf of the authenticated user. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and user interaction required, with low impacts to confidentiality and integrity of the system. The NVD entry status is currently 'Deferred', indicating the record may be awaiting additional analysis or vendor coordination.
- Vendor
- Semantic MediaWiki
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-05-19
Who should care
Organizations running Semantic MediaWiki instances, particularly those with Dutch localization enabled; security teams managing wiki platforms; developers responsible for MediaWiki extension security
Technical summary
Reflected XSS in Semantic MediaWiki's Dutch-language faceted search endpoint (Speciaal:GefacetteerdZoeken) allows JavaScript execution via malicious URL parameters. Attack requires user interaction (clicking crafted link). Impact: session hijacking, unauthorized actions. No known patches or exploitation in wild as of disclosure date.
Defensive priority
medium
Recommended defensive actions
- Review Semantic MediaWiki installations for the '/index.php/Speciaal:GefacetteerdZoeken' endpoint and implement input validation/sanitization for all URL parameters
- Deploy Content Security Policy (CSP) headers to mitigate impact of potential XSS exploitation
- Monitor for security advisories from Semantic MediaWiki maintainers regarding official patches
- Conduct code review of faceted search functionality for proper output encoding per OWASP XSS Prevention guidelines
- Enable HTTP-only and Secure flags on session cookies to reduce impact of potential cookie theft
- Consider Web Application Firewall (WAF) rules to detect and block reflected XSS payloads in the affected endpoint
Evidence notes
Vulnerability disclosed via INCIBE-CERT (Spanish National Cybersecurity Institute) with official CVE coordination. NVD status marked as 'Deferred' as of 2026-05-19. CVSS 4.0 scoring applied. No known exploitation in the wild (KEV: false). Vendor attribution remains unconfirmed with low confidence based on reference domain analysis.
Official resources
-
CVE-2025-10354 CVE record
CVE.org
-
CVE-2025-10354 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-04-21