CVE-2026-55691: StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template
The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output.
References
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-7h5p-637f-jfr7
- github.com/advisories/GHSA-7h5p-637f-jfr7
- nvd.nist.gov/vuln/detail/CVE-2026-55691
Code Behaviors & Features
Detect and mitigate CVE-2026-55691 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →