Skip to main content

EmbedVideo Extension CVE-2026-55690

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo GHSA-c29q-5xm7-5p62
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.4 MEDIUM

Editor account required (PR:L), victim must load the poisoned page (UI:R), payload executes in browser origin separate from the wiki backend (S:C), and impact is typical stored-XSS C:L/I:L with no availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 19, 2026 - 23:30 vuln.today
Analysis Generated
Jun 19, 2026 - 23:30 vuln.today
CVE Published
Jun 19, 2026 - 21:14 github-advisory
HIGH 7.5

DescriptionGitHub Advisory

Summary

When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML.

Details

There is a hardcoded list of allowed services in a switch statement inside EmbedServiceFactory#newFromName here. When the service name is not known, an exception is thrown with the service name injected into the message via sprintf here. This message is not sanitized and is marked as isHtml here. Similarly with {{evl: here.

PoC

// Must be on a page, not on ExpandTemplates
{{#ev:<img src=x onerror=alert(document.domain)>|dQw4w9WgXcQ}}
{{#evl:id=dummy|service=<img src=x onerror=alert(document.domain)>}}

Impact

Stored XSS that allows arbitrary Javascript/HTML insertion on any page that a user can edit. It requires no interaction and executes in the wiki origin for every visitor to the page.

AnalysisAI

{{#ev:}} or {{#evl:}} parser functions. The unsanitized service name is reflected into an error message that is rendered as raw HTML, executing in the wiki origin for every visitor to the affected page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain wiki edit account
Delivery
Craft {{#ev:}} with HTML payload as service name
Exploit
Save page storing payload
Install
Visitor loads page
C2
Unsanitized error renders with isHTML=true
Execute
Payload executes in wiki origin
Impact
Steal session or escalate via API

Vulnerability AssessmentAI

Exploitation Attacker must have permission to edit (save) a wiki page on a MediaWiki instance that has the StarCitizenWiki EmbedVideo extension installed at version <= 4.0.0, and the page must be a regular content page - the PoC explicitly notes the payload does not fire inside Special:ExpandTemplates. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5) appears inflated for a stored XSS that, per the description, requires the attacker to be able to edit a wiki page - that is a privilege, not PR:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with edit rights on any wiki page that uses the EmbedVideo extension saves wikitext such as {{#ev:<img src=x onerror=alert(document.domain)>|dQw4w9WgXcQ}}; the extension's unknown-service error path returns the injected HTML with isHTML=true and the payload is persisted in the page. Every subsequent visitor - including administrators - executes the attacker's JavaScript in the wiki's origin, enabling session-cookie theft, CSRF against the MediaWiki API to escalate privileges, or mass defacement. …
Remediation Vendor-released patch: upgrade starcitizenwiki/embedvideo to 4.1.0 or later (release notes at https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0; fix commit 9215564bf28a0ceb40be550a55ab78efc0accc56), which introduces an EmbedVideoException type that carries pre-escaped HTML and routes error rendering through Html::element so the service name is treated as text. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all affected wiki installations and apply the available vendor patch; restrict wiki access if immediate patching is not feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-55690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy