Unrated severityOSV Advisory· Published Dec 15, 2025· Updated Dec 16, 2025

ClipBucket's Manage Photos Feature is Vulnerable to Stored XSS via Collection Name

CVE-2025-64338

Description

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is rendered unsafely in the Admin → Manage Photos interface, causing it to execute in the administrator’s browser, therefore allowing an attacker to target administrators and perform actions with elevated privileges. This issue is fixed in version 5.5.2 - #157.

Affected products

Macwarrior/Clipbucket V5OSV
Range: 5.3, 5.3.1, 5.4.0, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bccmitrex_refsource_MISC
github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-93rh-fxxx-j38jmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000