Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-55690 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML.
There is a hardcoded list of allowed services in a switch statement inside EmbedServiceFactory#newFromName here. When the service name is not known, an exception is thrown with the service name injected into the message via sprintf here. This message is not sanitized and is marked as isHtml here. Similarly with {{evl: here.
// Must be on a page, not on ExpandTemplates
{{#ev:<img src=x onerror=alert(document.domain)>|dQw4w9WgXcQ}}
{{#evl:id=dummy|service=<img src=x onerror=alert(document.domain)>}}
Stored XSS that allows arbitrary Javascript/HTML insertion on any page that a user can edit. It requires no interaction and executes in the wiki origin for every visitor to the page.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.