CVE-2025-62429 | THREATINT

Description

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 #147, ClipBucket v5 is vulnerable to arbitrary PHP code execution. In /upload/admin_area/actions/update_launch.php, the "type" parameter from a POST request is embedded into PHP tags and executed. Proper sanitization is not performed, and by injecting malicious code an attacker can execute arbitrary PHP code. This allows an attacker to achieve RCE. This issue has been resolved in version 5.5.2 #147.

PUBLISHED Reserved 2025-10-13 | Published 2025-10-20 | Updated 2025-10-20 | Assigner GitHub_M

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 5.5.2 #147

affected

References

github.com/...ket-v5/security/advisories/GHSA-3x4g-x3gv-rjmq

github.com/...ommit/e81bac602c871bb1ad971884003a3a496a2ab50b

github.com/MacWarrior/clipbucket-v5/releases/tag/5.5.2-#147

cve.org (CVE-2025-62429)

nvd.nist.gov (CVE-2025-62429)

Download JSON