CVE-2025-64339

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Playlists feature is vulnerable to stored Cross-site Scripting (XSS),specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containing HTML/JavaScript code, which is rendered unescaped on playlist detail and listing pages. This results in arbitrary JavaScript execution in every viewer’s browser, including administrators. This issue is fixed in version 5.5.2-#147.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc	Patch
https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-c695-m4g4-v3fv	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*

History

26 Nov 2025, 15:42

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
References	~~() https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc -~~	() https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc - Patch
References	~~() https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-c695-m4g4-v3fv -~~	() https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-c695-m4g4-v3fv - Exploit, Vendor Advisory
First Time		Oxygenz Oxygenz clipbucket
CPE		cpe:2.3:a:oxygenz:clipbucket::::::::
Summary		(es) ClipBucket v5 es una plataforma de código abierto para compartir videos. En las versiones 5.5.2-#146 e inferiores, la función 'Manage Playlists' (Gestionar Listas de Reproducción) es vulnerable a 'cross-site scripting' (XSS) almacenado, específicamente en el campo 'Playlist Name' (Nombre de la Lista de Reproducción). Un usuario autenticado con bajos privilegios puede crear una lista de reproducción con un nombre malicioso que contenga código HTML/JavaScript, el cual se renderiza sin escapar en las páginas de detalle y listado de las listas de reproducción. Esto resulta en la ejecución arbitraria de JavaScript en el navegador de cada espectador, incluyendo a los administradores. Este problema está solucionado en la versión 5.5.2-#147.

07 Nov 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-07 06:15

Updated : 2025-11-26 15:42

NVD link : CVE-2025-64339

Mitre link : CVE-2025-64339

CVE.ORG link : CVE-2025-64339

JSON object : View

Products Affected

oxygenz

clipbucket

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10