CVE-2025-64338

CRITICAL

Oxygenz Clipbucket < 5.5.2-157 - XSS

Title source: rule

Description

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is rendered unsafely in the Admin → Manage Photos interface, causing it to execute in the administrator’s browser, therefore allowing an attacker to target administrators and perform actions with elevated privileges. This issue is fixed in version 5.5.2 - #157.

References (2)

[Exploit, Vendor Advisory] https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-93rh-fxxx-j38j

[Patch] https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc

View Patch ZIP pw:eip

Scores

CVSS v3 9.0

EPSS 0.0004

EPSS Percentile 13.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-269 CWE-79

Status published

Products (1)

oxygenz/clipbucket 5.3 - 5.5.2-157

Published Nov 07, 2025

Tracked Since Feb 18, 2026