Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-55691 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output.
The template here adds a figure with a class that is substituted in. This value is provided to sprintf here, an unescaped version of the class supplied by the user.
$template = <<<HTML
<figure class="%s" data-service="%s" %s %s>
<div class="embedvideo-wrapper" %s>%s%s%s</div>%s
</figure>
HTML;
Note the double quote immediately following the single quote to escape the class attribute in the template:
<youtube class='" onmouseover="alert(document.domain)' id="dQw4w9WgXcQ">dQw4w9WgXcQ</youtube>
Arbitrary HTML can be inserted into the DOM by any user on any page, allowing for JavaScript to be executed.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.