An issue exists in the UnlinkedWikibase extension in MediaWiki prior to 1.39.6, 1.40.x prior to 1.40.2, and 1.41.x prior to 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.