Home

Description

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Photos feature is vulnerable to stored Cross-site Scripting (XSS). An authenticated regular user can upload a photo with a malicious Photo Title containing HTML/JavaScript code. While the payload does not execute in the user-facing photo gallery or detail pages, it is rendered unsafely in the Admin → Manage Photos section, resulting in JavaScript execution in the administrator’s browser. This issue is fixed in version 5.5.2-#147.

PUBLISHED Reserved 2025-10-30 | Published 2025-11-07 | Updated 2025-11-07 | Assigner GitHub_M




HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-269: Improper Privilege Management

Product status

< 5.5.2-#147
affected

References

github.com/...ket-v5/security/advisories/GHSA-hjc2-5329-j49w

github.com/...ommit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc

github.com/MacWarrior/clipbucket-v5/releases/tag/5.5.2-#147

cve.org (CVE-2025-64336)

nvd.nist.gov (CVE-2025-64336)

Download JSON