cve-2026-14358 was a stored xss in the mediawiki charts extension where Data:*.tab field titles could reach the pie chart tooltip html renderer
cve-2026-54717 let attacker-controlled page titles execute javascript in the silverstripe cms page list view through unescaped breadcrumb rendering