CVE-2025-64336

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Photos feature is vulnerable to stored Cross-site Scripting (XSS). An authenticated regular user can upload a photo with a malicious Photo Title containing HTML/JavaScript code. While the payload does not execute in the user-facing photo gallery or detail pages, it is rendered unsafely in the Admin → Manage Photos section, resulting in JavaScript execution in the administrator’s browser. This issue is fixed in version 5.5.2-#147.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc	Patch
https://github.com/MacWarrior/clipbucket-v5/releases/tag/5.5.2-%23147	Release Notes
https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hjc2-5329-j49w	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*

History

05 Dec 2025, 20:57

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
First Time		Oxygenz clipbucket Oxygenz
References	~~() https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc -~~	() https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc - Patch
References	~~() https://github.com/MacWarrior/clipbucket-v5/releases/tag/5.5.2-%23147 -~~	() https://github.com/MacWarrior/clipbucket-v5/releases/tag/5.5.2-%23147 - Release Notes
References	~~() https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hjc2-5329-j49w -~~	() https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hjc2-5329-j49w - Exploit, Vendor Advisory
CPE		cpe:2.3:a:oxygenz:clipbucket::::::::
Summary		(es) ClipBucket v5 es una plataforma de código abierto para compartir videos. En las versiones 5.5.2-#146 e inferiores, la función "Manage Photos" es vulnerable a cross-site scripting (XSS) almacenado. Un usuario regular autenticado puede subir una foto con un Título de Foto malicioso que contenga código HTML/JavaScript. Aunque la carga útil no se ejecuta en la galería de fotos o en las páginas de detalles orientadas al usuario, se renderiza de forma insegura en la sección Admin ? Manage Photos, lo que resulta en la ejecución de JavaScript en el navegador del administrador. Este problema se corrige en la versión 5.5.2-#147.

07 Nov 2025, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-07 05:16

Updated : 2025-12-05 20:57

NVD link : CVE-2025-64336

Mitre link : CVE-2025-64336

CVE.ORG link : CVE-2025-64336

JSON object : View

Products Affected

oxygenz

clipbucket

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-269

Improper Privilege Management

5.4 /10