CVE-2025-59839: Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes
(updated )
The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext.
References
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/ext.embedVideo.videolink.js
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/modules/iframe.js
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/4e075d3dc9a15a3ee53f449a684d5ab847e52f01
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-4j5h-mvj3-m48v
- github.com/advisories/GHSA-4j5h-mvj3-m48v
- nvd.nist.gov/vuln/detail/CVE-2025-59839
Code Behaviors & Features
Detect and mitigate CVE-2025-59839 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →