CVE-2025-64339
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-07

Last updated on: 2025-11-26

Assigner: GitHub, Inc.

Description
ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Playlists feature is vulnerable to stored Cross-site Scripting (XSS),specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containing HTML/JavaScript code, which is rendered unescaped on playlist detail and listing pages. This results in arbitrary JavaScript execution in every viewer’s browser, including administrators. This issue is fixed in version 5.5.2-#147.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-07
Last Modified
2025-11-26
Generated
2026-06-16
AI Q&A
2025-11-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64339
EUVD
EUVD-2025-38242
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oxygenz clipbucket From 5.3 (inc) to 5.5.2-147 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-site Scripting (XSS) issue in ClipBucket v5 versions 5.5.2-#146 and below. It occurs in the Manage Playlists feature, specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containing HTML or JavaScript code. This code is stored and then rendered unescaped on playlist detail and listing pages, causing arbitrary JavaScript to execute in the browsers of anyone viewing the playlist, including administrators.

Impact Analysis

The vulnerability allows an attacker with low privileges to execute arbitrary JavaScript code in the browsers of users who view the malicious playlist, including administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential compromise of the entire application or user accounts.

Mitigation Strategies

Upgrade ClipBucket to version 5.5.2-#147 or later, where the stored Cross-site Scripting (XSS) vulnerability in the Manage Playlists feature is fixed. Additionally, restrict playlist creation permissions to trusted users and monitor for suspicious playlist names containing HTML or JavaScript code.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart