PT-2026-51106 · Packagist · Starcitizenwiki/Embedvideo

Publicado

2026-06-19

·

Atualizado

2026-06-19

·

CVE-2026-55691

CVSS v3.1

8.6

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output.

Details

The template here adds a figure with a class that is substituted in. This value is provided to sprintf here, an unescaped version of the class supplied by the user.
$template = <<<HTML
  <figure class="%s" data-service="%s" %s %s>
    <div class="embedvideo-wrapper" %s>%s%s%s</div>%s
  </figure>
HTML;

PoC

Note the double quote immediately following the single quote to escape the class attribute in the template:
<youtube class='" onmouseover="alert(document.domain)' id="dQw4w9WgXcQ">dQw4w9WgXcQ</youtube>

Impact

Arbitrary HTML can be inserted into the DOM by any user on any page, allowing for JavaScript to be executed.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79CWE-80

Identificadores relacionados

CVE-2026-55691
GHSA-7H5P-637F-JFR7

Produtos afetados

Starcitizenwiki/Embedvideo