CVE-2025-64336 is a stored Cross-site Scripting (XSS) vulnerability identified in the open-source video sharing platform ClipBucket v5, specifically affecting versions up to 5.5.2-#146. The vulnerability arises from improper neutralization of input during web page generation (CWE-79) in the Manage Photos feature. Authenticated regular users can upload photos with maliciously crafted Photo Titles containing embedded HTML or JavaScript code. While these payloads do not execute in the public-facing photo gallery or photo detail pages, they are rendered without proper sanitization in the administrative interface under Admin → Manage Photos. This unsafe rendering leads to execution of arbitrary JavaScript in the administrator’s browser context. Exploiting this vulnerability could allow attackers to perform actions such as session hijacking, privilege escalation, or unauthorized administrative operations by leveraging the admin’s elevated privileges. The vulnerability does not require elevated privileges beyond a regular authenticated user but does require user interaction (uploading a malicious photo). The CVSS v4.0 score is 7.2 (high severity), reflecting network attack vector, low attack complexity, no privileges required, partial user interaction, and high impact on confidentiality and integrity. The issue is resolved in ClipBucket version 5.5.2-#147. No public exploits have been reported to date, but the vulnerability poses a significant risk to deployments that have not applied the patch.

For European organizations using ClipBucket v5 for video sharing or content management, this vulnerability poses a significant risk to administrative account security and overall platform integrity. Successful exploitation could lead to administrative session hijacking, unauthorized content manipulation, or deployment of further malicious payloads within the administrative environment. This could result in data breaches, defacement, or disruption of services. Given that the vulnerability requires only a regular authenticated user account, insider threats or compromised user accounts could be leveraged to attack administrators. The impact is particularly critical for organizations relying on ClipBucket for internal or customer-facing video content, including media companies, educational institutions, and enterprises with digital asset management needs. The vulnerability could also facilitate lateral movement within networks if administrative credentials are compromised. Although no known exploits are currently in the wild, the public availability of the vulnerability details increases the risk of targeted attacks. European organizations must assess their exposure and remediate promptly to avoid potential reputational damage and regulatory consequences under GDPR if personal data is compromised.

1. Upgrade ClipBucket to version 5.5.2-#147 or later immediately to apply the official fix that properly sanitizes input in the Manage Photos feature. 2. Implement strict input validation and output encoding on all user-supplied data, especially in administrative interfaces, to prevent injection of executable code. 3. Restrict photo upload permissions to trusted users where possible and monitor uploads for suspicious content. 4. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting sources of executable code in browsers. 5. Conduct regular security audits and penetration testing focused on administrative interfaces to detect similar vulnerabilities. 6. Educate administrators to be cautious when interacting with user-generated content in management consoles. 7. Monitor logs for unusual administrative activity that could indicate exploitation attempts. 8. Consider implementing multi-factor authentication (MFA) for administrative accounts to reduce risk from session hijacking. 9. Isolate administrative interfaces from public networks or restrict access via VPN or IP whitelisting to reduce exposure. 10. Maintain an incident response plan to quickly address any suspected compromise stemming from this vulnerability.