CVE-2026-55690
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text
描述
### Summary When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML. ### Details There is a hardcoded list of allowed services in a switch statement inside `EmbedServiceFactory#newFromName` [here](https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/a573a16d925ee0ea0d34b360856dc8ab0b88f822/includes/EmbedService/EmbedServiceFactory.php#L105). When the service name is not known, an exception is thrown with the service name injected into the message via sprintf [here](https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/a573a16d925ee0ea0d34b360856dc8ab0b88f822/includes/EmbedService/EmbedServiceFactory.php#L286). This message is not sanitized and is marked as isHtml [here](https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/a573a16d925ee0ea0d34b360856dc8ab0b88f822/includes/EmbedVideo.php#L303-L311). Similarly with `{{evl:` [here](https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/a573a16d925ee0ea0d34b360856dc8ab0b88f822/includes/EmbedVideo.php#L177-L183). ### PoC ``` // Must be on a page, not on ExpandTemplates {{#ev:<img src=x onerror=alert(document.domain)>|dQw4w9WgXcQ}} {{#evl:id=dummy|service=<img src=x onerror=alert(document.domain)>}} ``` ### Impact Stored XSS that allows arbitrary Javascript/HTML insertion on any page that a user can edit. It requires no interaction and executes in the wiki origin for every visitor to the page.
如何修補 CVE-2026-55690
要修補 CVE-2026-55690,請將受影響套件升級到下列已修補版本。
- —升級至 4.1.0 或更新版本
CVE-2026-55690 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-55690 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 4.1.0