CVE-2025-59332HIGH 8.6EPSS p27.0%

CVE-2025-59332CVE-2025-59332

Description

3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not sanitized, which means that arbitrary JavaScript can be inserted and executed.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS0.35% probability of exploitation · percentile 27.0% · 2026-06-18T12:00:27Z
Published2025-09-15
Last modified2026-04-15

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/dolfinus/3DAlloy/commit/9fac7936254886265ac89c8824c4816d009b7a1b
  2. https://github.com/dolfinus/3DAlloy/security/advisories/GHSA-f2rp-232x-mqrh

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-0595
CVE
CVE-2025-0827
CVE
CVE-2025-32928
CVE
CVE-2025-4991
CVE
CVE-2025-53369
CVE
CVE-2025-28243
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.