CVE-2025-10354 Overview
CVE-2025-10354 is a reflected Cross-Site Scripting (XSS) vulnerability [CWE-79] in Semantic MediaWiki. The flaw resides in the /index.php/Speciaal:GefacetteerdZoeken endpoint, which fails to sanitize user-supplied input before reflecting it into the rendered page. An attacker can craft a malicious URL that, when visited by an authenticated user, executes arbitrary JavaScript in the victim's browser context. Successful exploitation enables session cookie theft, credential harvesting, and unauthorized actions performed on behalf of the targeted user.
Critical Impact
Attackers can hijack authenticated MediaWiki sessions and execute arbitrary JavaScript in victim browsers through a crafted URL, enabling account takeover and data theft.
Affected Products
- Semantic MediaWiki extension
- MediaWiki instances exposing the Speciaal:GefacetteerdZoeken special page
- Wiki deployments using the faceted search functionality
Discovery Timeline
- 2026-04-21 - CVE CVE-2025-10354 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2025-10354
Vulnerability Analysis
The vulnerability is a reflected XSS issue in the faceted search special page of Semantic MediaWiki. The endpoint /index.php/Speciaal:GefacetteerdZoeken accepts query parameters and reflects them back into the HTTP response without proper output encoding or input validation. An attacker who can convince a victim to click a crafted link triggers script execution within the victim's browser session. Because the payload runs in the origin of the wiki, it can read authenticated cookies, modify page content, and issue authenticated requests.
The vulnerability requires user interaction, as the victim must visit the attacker-supplied URL. No prior authentication or privileges are required from the attacker to deliver the payload. The EPSS score is 0.062% with a percentile of 19.268.
Root Cause
The root cause is missing output encoding [CWE-79] on parameters reflected by the GefacetteerdZoeken (Faceted Search) special page. User input flows from the request directly into the HTML response without contextual escaping, allowing HTML and JavaScript syntax to break out of the intended data context.
Attack Vector
The attack vector is network-based and relies on social engineering. An attacker constructs a URL targeting the vulnerable endpoint with a JavaScript payload embedded in a query parameter. The attacker then distributes the URL via phishing email, chat, or another wiki page. When an authenticated wiki user clicks the link, the reflected payload executes and can exfiltrate session cookies to an attacker-controlled host or perform privileged wiki actions such as editing pages or modifying user settings.
No verified public exploit code is available. Technical details are documented in the INCIBE CERT Security Notice.
Detection Methods for CVE-2025-10354
Indicators of Compromise
- Inbound HTTP requests to /index.php/Speciaal:GefacetteerdZoeken containing URL-encoded <script>, onerror=, onload=, or javascript: substrings in query parameters
- Outbound requests from user browsers to unexpected external hosts immediately after visiting the faceted search page
- Unusual session cookie usage from new IP addresses or geolocations shortly after a user accesses a crafted URL
Detection Strategies
- Inspect web server access logs for requests to the GefacetteerdZoeken endpoint with suspicious query string content
- Deploy a Web Application Firewall (WAF) rule that flags reflected XSS payload signatures targeting MediaWiki special pages
- Correlate referrer headers and click-through events on wiki users to identify phishing-driven URL delivery
Monitoring Recommendations
- Forward MediaWiki access logs and WAF telemetry to a centralized SIEM for query-parameter inspection
- Alert on authenticated user sessions exhibiting rapid privilege changes, edit floods, or password resets following a click event
- Monitor Content Security Policy (CSP) violation reports for inline script execution attempts on wiki pages
How to Mitigate CVE-2025-10354
Immediate Actions Required
- Apply the vendor-supplied Semantic MediaWiki update once published; consult the INCIBE CERT Security Notice for version guidance
- Restrict access to the Speciaal:GefacetteerdZoeken endpoint until patched, or disable the faceted search feature if not required
- Rotate session secrets and force re-authentication for users who may have clicked suspicious links
Patch Information
Refer to the INCIBE CERT Security Notice for the latest patched version of Semantic MediaWiki. Administrators should upgrade to the fixed release and verify the patch is applied across all wiki instances and mirrors.
Workarounds
- Deploy a strict Content Security Policy that disallows inline scripts and untrusted script sources to limit XSS payload execution
- Add a WAF rule blocking requests to /index.php/Speciaal:GefacetteerdZoeken containing HTML or script metacharacters in query parameters
- Educate wiki users to avoid clicking unsolicited links pointing to internal wiki special pages
# Example WAF rule (ModSecurity) to block reflected XSS payloads
# targeting the Semantic MediaWiki faceted search endpoint
SecRule REQUEST_URI "@contains /index.php/Speciaal:GefacetteerdZoeken" \
"chain,id:1010354,phase:2,deny,status:403,\
msg:'CVE-2025-10354 - Reflected XSS attempt on Semantic MediaWiki'"
SecRule ARGS "@rx (?i)(<script|onerror=|onload=|javascript:|<svg)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

