EmbedVideo Extension CVE-2026-55690
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Editor account required (PR:L), victim must load the poisoned page (UI:R), payload executes in browser origin separate from the wiki backend (S:C), and impact is typical stored-XSS C:L/I:L with no availability effect.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML.
Details
There is a hardcoded list of allowed services in a switch statement inside EmbedServiceFactory#newFromName here. When the service name is not known, an exception is thrown with the service name injected into the message via sprintf here. This message is not sanitized and is marked as isHtml here. Similarly with {{evl: here.
PoC
// Must be on a page, not on ExpandTemplates
{{#ev:<img src=x onerror=alert(document.domain)>|dQw4w9WgXcQ}}
{{#evl:id=dummy|service=<img src=x onerror=alert(document.domain)>}}Impact
Stored XSS that allows arbitrary Javascript/HTML insertion on any page that a user can edit. It requires no interaction and executes in the wiki origin for every visitor to the page.
AnalysisAI
{{#ev:}} or {{#evl:}} parser functions. The unsanitized service name is reflected into an error message that is rendered as raw HTML, executing in the wiki origin for every visitor to the affected page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have permission to edit (save) a wiki page on a MediaWiki instance that has the StarCitizenWiki EmbedVideo extension installed at version <= 4.0.0, and the page must be a regular content page - the PoC explicitly notes the payload does not fire inside Special:ExpandTemplates. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5) appears inflated for a stored XSS that, per the description, requires the attacker to be able to edit a wiki page - that is a privilege, not PR:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with edit rights on any wiki page that uses the EmbedVideo extension saves wikitext such as {{#ev:<img src=x onerror=alert(document.domain)>|dQw4w9WgXcQ}}; the extension's unknown-service error path returns the injected HTML with isHTML=true and the payload is persisted in the page. Every subsequent visitor - including administrators - executes the attacker's JavaScript in the wiki's origin, enabling session-cookie theft, CSRF against the MediaWiki API to escalate privileges, or mass defacement. … |
| Remediation | Vendor-released patch: upgrade starcitizenwiki/embedvideo to 4.1.0 or later (release notes at https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0; fix commit 9215564bf28a0ceb40be550a55ab78efc0accc56), which introduces an EmbedVideoException type that carries pre-escaped HTML and routes error rendering through Html::element so the service name is treated as text. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all affected wiki installations and apply the available vendor patch; restrict wiki access if immediate patching is not feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c29q-5xm7-5p62