CVE-2025-59839

HIGH

EmbedVideo < 4.0.0 - Stored Cross-Site Scripting via Arbitrary HTML Attributes

Title source: llm
STIX 2.1

Description

The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3.

Scores

CVSS v3 8.6
EPSS 0.0028
EPSS Percentile 20.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
star-citizen/embedvideo < 4.0.0
starcitizenwiki/embedvideo 0Packagist
Published Sep 25, 2025
Tracked Since Feb 18, 2026