In affected versions of video.js, the src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
video.js
Upgrade to version 7.14.3 or later