Platform
php
Component
clipbucket-v5
Opgelost in
5.5.3
CVE-2025-64338 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting ClipBucket v5, an open-source video sharing platform. This vulnerability allows an authenticated regular user to inject malicious HTML or JavaScript payloads into collection names. Successful exploitation can lead to the execution of arbitrary code in the administrator's browser, potentially granting an attacker elevated privileges. The vulnerability impacts versions 5.5.2 - #156 and below, and a fix is available in version 5.5.2 - #157.
The primary impact of CVE-2025-64338 is the potential for an attacker to compromise the ClipBucket administrator account. By injecting malicious JavaScript into a collection name, an attacker can trigger code execution when an administrator views the 'Manage Photos' page. This could allow the attacker to steal administrator credentials, modify site content, inject malicious scripts into videos, or even gain complete control of the server. The vulnerability’s reliance on authentication limits the initial attack surface, but successful compromise of an administrator account provides a significant blast radius, potentially impacting all users and data stored on the platform. This is similar to other XSS vulnerabilities where attackers leverage administrative interfaces to gain broader control.
CVE-2025-64338 was publicly disclosed on December 15, 2025. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The relatively recent disclosure and lack of public exploits suggest a low probability of immediate exploitation, but diligent patching is still essential.
Organizations and individuals using ClipBucket v5 for video sharing, particularly those with multiple administrators or limited security awareness, are at risk. Shared hosting environments where multiple users share the same ClipBucket instance are also at increased risk, as a compromised user could potentially target other administrators.
• php: Examine ClipBucket's database for collection names containing suspicious HTML or JavaScript code. Use grep to search the collection_name field in the relevant table for <script> tags or other potentially malicious patterns.
grep '<script' /path/to/clipbucket/db/collection_table.sql• generic web: Monitor access logs for requests to the 'Manage Photos' interface with unusual parameters or user agents. Look for POST requests to the collection creation endpoint with potentially malicious data.
curl -X POST -d "collection_name=<script>alert('XSS')</script>" http://your-clipbucket-site/admin/manage_photos.php > /dev/null 2>&1• generic web: Check response headers for signs of XSS, such as the presence of JavaScript code in the Content-Security-Policy (CSP) header.
disclosure
Exploit Status
EPSS
0.05% (17% percentiel)
CISA SSVC
The primary mitigation for CVE-2025-64338 is to immediately upgrade ClipBucket to version 5.5.2 - #157 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Collection Name' field to prevent the injection of HTML/JavaScript payloads. Web Application Firewalls (WAFs) configured to detect and block XSS attempts targeting the 'Manage Photos' interface can provide an additional layer of defense. Regularly review and audit user-generated content to identify and remove any potentially malicious collection names. After upgrade, confirm the fix by attempting to create a collection with a name containing a simple JavaScript payload (e.g., <script>alert('XSS')</script>) and verifying that it is properly sanitized and does not execute.
Actualice ClipBucket a la versión 5.5.2 - #157 o superior. Esta versión contiene una corrección para la vulnerabilidad XSS almacenada. La actualización eliminará la posibilidad de que usuarios maliciosos inyecten código JavaScript en el panel de administración.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-64338 is a Stored XSS vulnerability in ClipBucket v5, allowing authenticated users to inject malicious code into collection names, potentially compromising administrator accounts.
You are affected if you are running ClipBucket v5 versions 5.5.2 - #156 or earlier. Upgrade to 5.5.2 - #157 to mitigate the risk.
Upgrade ClipBucket to version 5.5.2 - #157 or later. Implement input validation and sanitization as a temporary workaround if upgrading is not immediately possible.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-64338, but patching is still recommended.
Refer to the ClipBucket security advisory for detailed information and updates regarding CVE-2025-64338: [https://www.clipbucket.net/security-advisories/]
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.