CVE-2025-59839

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-59839
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59839.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59839
Aliases
Published
2025-09-25T13:56:13.804Z
Modified
2026-04-10T05:33:29.233364Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes
Details

The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59839.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/starcitizenwiki/mediawiki-extensions-embedvideo

Affected ranges

Type
GIT
Repo
https://github.com/starcitizenwiki/mediawiki-extensions-embedvideo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4e075d3dc9a15a3ee53f449a684d5ab847e52f01

Affected versions

2.*
2.7.2
v1.*
v1.0
v2.*
v2.0
v2.0beta1
v2.0beta2
v2.0beta3
v2.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1alpha1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.1
v2.5.0
v2.5.2
v2.6.0
v2.6.1
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.9.0
v3.*
v3.0.0
v3.1.0
v4.*
v4.0.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59839.json"