PT-2026-51105 · Packagist · Starcitizenwiki/Embedvideo

Publicado

2026-06-19

Atualizado

2026-06-19

CVE-2026-55690

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML.

Details

There is a hardcoded list of allowed services in a switch statement inside EmbedServiceFactory#newFromName here. When the service name is not known, an exception is thrown with the service name injected into the message via sprintf here. This message is not sanitized and is marked as isHtml here. Similarly with {{evl: here.

PoC

// Must be on a page, not on ExpandTemplates
{{#ev:<img src=x onerror=alert(document.domain)>|dQw4w9WgXcQ}}
{{#evl:id=dummy|service=<img src=x onerror=alert(document.domain)>}}

Impact

Stored XSS that allows arbitrary Javascript/HTML insertion on any page that a user can edit. It requires no interaction and executes in the wiki origin for every visitor to the page.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79CWE-80

Identificadores relacionados

CVE-2026-55690

GHSA-C29Q-5XM7-5P62

Produtos afetados

Starcitizenwiki/Embedvideo

PT-2026-51105 · Packagist · Starcitizenwiki/Embedvideo

CVE-2026-55690

Summary

Details

PoC

Impact

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5