CVE-2025-62430 is a stored cross-site scripting (XSS) vulnerability identified in the open-source video sharing platform ClipBucket v5, specifically affecting versions prior to build 5.5.2 #146. The vulnerability arises due to improper neutralization of user-supplied input in multiple metadata fields associated with videos and photos. For videos, the Tags, Genre, Actors, Producer, Executive Producer, and Director fields within Movieinfos do not adequately sanitize input, while for photos, the Photo Title and Photo Tags fields are similarly vulnerable. An attacker with permissions to edit video or photo metadata can inject malicious JavaScript code by inserting crafted input, such as closing delimiters followed by script elements. When any user, including unauthenticated visitors or administrators, views the affected video or photo page, the injected script executes in their browser context. Although cookies are set with the HttpOnly attribute, preventing direct cookie theft via JavaScript, the malicious script can issue fetch requests to sensitive endpoints like admin_area pages. This can lead to unauthorized data exfiltration or unintended administrative actions. The vulnerability does not require prior authentication to exploit the script execution, but the attacker must have editing rights on the media content. The CVSS 3.1 base score is 5.4, reflecting medium severity, with an attack vector of network, low attack complexity, no privileges required for script execution, but user interaction is necessary (viewing the page). The vulnerability affects confidentiality and integrity but not availability. The issue was publicly disclosed on October 17, 2025, and fixed in build 5.5.2 #146. No known workarounds exist, making patching the only effective mitigation.

For European organizations using ClipBucket v5 in versions prior to build 5.5.2 #146, this vulnerability poses a significant risk to the confidentiality and integrity of their web applications. Attackers with editing permissions can inject malicious scripts that execute in the browsers of site visitors, including administrators, potentially leading to unauthorized data access or manipulation. This can result in leakage of sensitive administrative data, unauthorized changes to content or settings, and erosion of user trust. Since the vulnerability affects publicly accessible video and photo pages, it can be exploited by unauthenticated users if they can gain editing rights, for example via compromised accounts or weak access controls. The impact is heightened in organizations that rely on ClipBucket for media sharing with sensitive or proprietary content. While availability is not directly affected, the reputational damage and potential regulatory consequences under GDPR for data breaches could be substantial. The medium CVSS score reflects moderate risk, but the ease of exploitation by insiders or compromised users increases the threat level. European entities operating media platforms or community sites using ClipBucket should consider this vulnerability a priority for remediation to prevent exploitation.

The primary mitigation is to upgrade ClipBucket v5 installations to build 5.5.2 #146 or later, where the vulnerability has been fixed. Since no known workarounds exist, patching is critical. Additionally, organizations should enforce strict access controls to limit who can edit video and photo metadata, reducing the risk of malicious input injection. Implementing web application firewalls (WAFs) with rules to detect and block common XSS payloads in metadata fields can provide temporary protection. Regularly audit user permissions and monitor logs for unusual editing activity. Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. Conduct security awareness training for administrators and content editors to recognize suspicious behavior. Finally, perform periodic vulnerability scanning and penetration testing on ClipBucket deployments to detect similar injection flaws proactively.