CVE-2025-59839

Summary

The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext.

Details

The attributes of an iframe are populated with the value of an unreserved data attribute (data-iframeconfig) that can be set via wikitext: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/ext.embedVideo.videolink.js#L5-L20 Similar code is also present here: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/modules/iframe.js#L139-L155

It is possible to execute JS through attributes like onload or onmouseenter.

PoC

Create a page with the following contents:

&lt;div class=&quot;embedvideo-evl&quot; data-iframeconfig=&#039;{&quot;onload&quot;: &quot;alert(1)&quot;}&#039;&gt;Click me!&lt;/div&gt;
&lt;evlplayer&gt;&lt;/evlplayer&gt;

Click on the "Click me!" text
Click on the "Load video" button below <img width="855" height="404" alt="image" src="https://github.com/user-attachments/assets/afb3839a-012c-4e90-a208-a6137b704ccd" />

Impact

Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.

Published: Sep 24, 2025
Updated: Sep 25, 2025
CVE: CVE-2025-59839
GHSA: GHSA-4j5h-mvj3-m48v
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
starcitizenwiki / embedvideo	-	4.0.0.x

Vulnerability Database

CVE-2025-59839

Summary

Details

PoC

Impact

Deep Security Visibility Without the Complexity