CVE-2026-25144 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2026-25144?

CVE-2026-25144 has a CVSS score of 5.3 (MEDIUM). A stored cross-site scripting (XSS) vulnerability exists in Talishar's in-game chat system where the playerID parameter in SubmitChat.php is saved without proper sanitization and executed when users view the game page. This allows attackers to inject malicious scripts that execute in victims' browsers. All users of vulnerable Talishar instances are affected.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability exists in Talishar's in-game chat system where the playerID parameter in SubmitChat.php is saved without proper sanitization and executed when users view the game page. This allows attackers to inject malicious scripts that execute in victims' browsers. All users of vulnerable Talishar instances are affected.

💻 Affected Systems

Products:

Talishar

Versions: All versions before commit 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: This is a web application vulnerability, not OS-specific. Affects all deployments using vulnerable code.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or execute arbitrary actions on behalf of authenticated users.

🟠

Likely Case

Attackers inject malicious JavaScript to steal session tokens or display phishing content to other players in the game chat.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to submit chat messages. The vulnerability is straightforward to exploit once an attacker discovers it.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4

Vendor Advisory: https://github.com/Talishar/Talishar/security/advisories/GHSA-rrr4-h2pc-57g6

Restart Required: No

Instructions:

1. Pull the latest code from the Talishar repository. 2. Ensure commit 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 is applied. 3. Deploy the updated code to your server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize playerID parameter before storage

Implement proper HTML entity encoding for user input in SubmitChat.php

Content Security Policy

all

Implement strict Content Security Policy headers to mitigate XSS impact

Add header: Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Disable the chat functionality completely if not essential
Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if your codebase includes the vulnerable SubmitChat.php without the fix commit. Test by attempting to inject basic XSS payloads in the playerID parameter.

Check Version:

git log --oneline | grep 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4

Verify Fix Applied:

Verify that commit 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 is present in your deployment. Test that XSS payloads in chat are properly sanitized and rendered as text.

📡 Detection & Monitoring

Log Indicators:

Unusual chat messages containing script tags or JavaScript code
Multiple failed XSS attempts in chat submissions

Network Indicators:

HTTP requests with suspicious parameters containing script tags or JavaScript in playerID field

SIEM Query:

source="web_logs" AND (playerID CONTAINS "<script>" OR playerID CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2026-25144

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-79

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy