[MEDIUM] starcitizentools/citizen-skin allows stored XSS in menu heading message

PKSA-68j2-x1s7-tqgv CVE-2025-49579 GHSA-g3cp-pq72-hjpv

Affected package: starcitizentools/citizen-skin

Affected version: >=2.4.2,<3.3.1

Reported by:
GitHub