Primary

Context

Wiki.js Stored Cross-Site Scripting Vulnerability in Code Blocks

Vulnerability

A stored cross-site scripting vulnerability has been identified in Wiki.js versions prior to 2.5.190. This issue arises from mustache expressions in code blocks being processed by Vue during content injection, despite being enclosed within `<pre>` elements. A malicious user can exploit this vulnerability by crafting a wiki page that executes harmful JavaScript when viewed by others.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, create a wiki page in a version of Wiki.js prior to 2.5.190. Insert a mustache expression into a code block, such as one that triggers a JavaScript alert. When the page is saved and viewed, the JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Wiki.js version 2.5.190 or later, where this vulnerability has been patched.

Added: May 15, 2026, 8:51 AM

Updated: May 15, 2026, 8:51 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wiki.js Stored Cross-Site Scripting Vulnerability in Code Blocks

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Wiki.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating