lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo
, data-vimeoparams
, data-youtube
and data-ytparams
which can be abused to inject malicious JavaScript.