PT-2026-51106 · Packagist · Starcitizenwiki/Embedvideo

Published

2026-06-19

Updated

2026-06-19

CVE-2026-55691

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output.

Details

The template here adds a figure with a class that is substituted in. This value is provided to sprintf here, an unescaped version of the class supplied by the user.

$template = <<<HTML
  <figure class="%s" data-service="%s" %s %s>
    <div class="embedvideo-wrapper" %s>%s%s%s</div>%s
  </figure>
HTML;

PoC

Note the double quote immediately following the single quote to escape the class attribute in the template:

<youtube class='" onmouseover="alert(document.domain)' id="dQw4w9WgXcQ">dQw4w9WgXcQ</youtube>

Impact

Arbitrary HTML can be inserted into the DOM by any user on any page, allowing for JavaScript to be executed.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-80

Related Identifiers

CVE-2026-55691

GHSA-7H5P-637F-JFR7

Affected Products

Starcitizenwiki/Embedvideo

PT-2026-51106 · Packagist · Starcitizenwiki/Embedvideo

CVE-2026-55691

Summary

Details

PoC

Impact

Weakness Enumeration

Related Identifiers

Affected Products

References · 5