CVE-2025-64336

07.11.2025, 05:16

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Photos feature is vulnerable to stored Cross-site Scripting (XSS). An authenticated regular user can upload a photo with a malicious Photo Title containing HTML/JavaScript code. While the payload does not execute in the user-facing photo gallery or detail pages, it is rendered unsafely in the Admin  Manage Photos section, resulting in JavaScript execution in the administrators browser. This issue is fixed in version 5.5.2-#147.

Cross-site Scripting

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GitHub_M	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc

https://github.com/MacWarrior/clipbucket-v5/releases/tag/5.5.2-%23147

https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hjc2-5329-j49w