GHSA-c29q-5xm7-5p62

Source

https://github.com/advisories/GHSA-c29q-5xm7-5p62

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c29q-5xm7-5p62/GHSA-c29q-5xm7-5p62.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c29q-5xm7-5p62

Aliases

CVE-2026-55690

Published

2026-06-19T21:14:15Z

Modified

2026-06-19T21:30:11.516796395Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text

Details

Summary

When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML.

Details

There is a hardcoded list of allowed services in a switch statement inside EmbedServiceFactory#newFromName here. When the service name is not known, an exception is thrown with the service name injected into the message via sprintf here. This message is not sanitized and is marked as isHtml here. Similarly with {{evl: here.

PoC

// Must be on a page, not on ExpandTemplates
{{#ev:<img src=x onerror=alert(document.domain)>|dQw4w9WgXcQ}}
{{#evl:id=dummy|service=<img src=x onerror=alert(document.domain)>}}

Impact

Stored XSS that allows arbitrary Javascript/HTML insertion on any page that a user can edit. It requires no interaction and executes in the wiki origin for every visitor to the page.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:14:15Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ]
}

References

Affected packages

Packagist / starcitizenwiki/embedvideo

Package

Name: starcitizenwiki/embedvideo
Purl: pkg:composer/starcitizenwiki%2Fembedvideo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.0

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.3.0

3.4.0

3.4.1

3.4.2

3.4.3

4.*

4.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c29q-5xm7-5p62/GHSA-c29q-5xm7-5p62.json"

last_known_affected_version_range

"<= 4.0.0"