Platform
php
Component
clipbucket-v5
Fixed in
5.5.3
CVE-2025-64336 describes a stored Cross-Site Scripting (XSS) vulnerability affecting ClipBucket v5, an open-source video sharing platform. This vulnerability allows authenticated regular users to inject malicious code into photo titles, leading to potential JavaScript execution within the administrator's browser. Versions 5.5.2-#146 and earlier are affected, while a fix is available in version 5.5.2-#147.
The vulnerability lies within the Manage Photos feature of ClipBucket. An attacker, posing as an authenticated user, can upload a photo with a specially crafted title containing HTML or JavaScript code. While this payload doesn't immediately affect the public-facing video gallery or detail pages, it's rendered unsafely when an administrator views the Manage Photos section. This allows the attacker to execute arbitrary JavaScript code within the administrator's browser context. This could lead to session hijacking, credential theft, or defacement of the administrative interface, potentially granting the attacker control over the entire ClipBucket installation.
This vulnerability was publicly disclosed on 2025-11-07. No public proof-of-concept (PoC) code has been identified at the time of writing. It is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but given the potential for administrative access compromise, it warrants careful attention.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The primary mitigation for CVE-2025-64336 is to immediately upgrade ClipBucket to version 5.5.2-#147 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Photo Title field to prevent the injection of HTML or JavaScript code. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and audit user-uploaded content for suspicious activity.
Actualice ClipBucket a la versión 5.5.2-#147 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en la función de gestión de fotos. La actualización evitará que usuarios autenticados inyecten código malicioso a través del título de las fotos, protegiendo así la sesión del administrador.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64336 is a stored Cross-Site Scripting (XSS) vulnerability in ClipBucket v5, allowing authenticated users to inject malicious JavaScript into photo titles, potentially impacting the administrator's browser.
You are affected if you are using ClipBucket v5 versions 5.5.2-#146 or earlier. Upgrade to 5.5.2-#147 to mitigate the risk.
The recommended fix is to upgrade ClipBucket to version 5.5.2-#147 or later. As a temporary workaround, implement input validation and sanitization on the Photo Title field.
There is no confirmed active exploitation of CVE-2025-64336 at this time, but the vulnerability is publicly known and should be addressed promptly.
Refer to the ClipBucket security advisory for details and updates: [https://www.clipbucket.net/security/advisories/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.