CVE-2025-64338 is a stored cross-site scripting (XSS) vulnerability affecting ClipBucket v5 versions prior to 5.5.2 - #157. ClipBucket is an open-source video sharing platform widely used for hosting and managing video content. The vulnerability arises because the application fails to properly sanitize or neutralize HTML/JavaScript input in the Collection Name field when authenticated regular users create photo collections. This malicious input is stored and later rendered unsafely in the administrative interface under Manage Photos. When an administrator accesses this interface, the embedded JavaScript payload executes in their browser context, effectively allowing the attacker to hijack the admin session, perform unauthorized actions, or escalate privileges. The vulnerability requires the attacker to have a valid user account and to lure an administrator to the compromised interface, implying some level of user interaction. The CVSS vector indicates network attack vector, low attack complexity, no privileges required for injection but privileges required for initial access (authenticated user), and user interaction needed for exploitation. The impact on confidentiality and integrity is limited but significant due to potential administrative control compromise. The vulnerability is fixed in version 5.5.2 - #157, and no known exploits have been reported in the wild as of the publication date.

For European organizations using ClipBucket v5, this vulnerability poses a risk of administrative account compromise, which could lead to unauthorized content manipulation, data leakage, or further internal exploitation. Since the attack requires an authenticated user account, insider threats or compromised user credentials increase risk. The ability to execute scripts in the administrator’s browser can lead to session hijacking, privilege escalation, and potential full control over the ClipBucket installation. This could disrupt video sharing services, damage organizational reputation, and expose sensitive user data. Organizations relying on ClipBucket for public-facing or internal video content management should consider the risk of targeted attacks, especially in sectors where video content is critical, such as media, education, and government. The medium severity score reflects moderate impact but the potential for significant damage if exploited in high-value environments.

1. Upgrade ClipBucket to version 5.5.2 - #157 or later, where this vulnerability is fixed. 2. Implement strict input validation and output encoding for all user-supplied data, especially in fields rendered in administrative interfaces. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin interface. 4. Limit administrative interface access using network segmentation, VPNs, or IP whitelisting to reduce exposure. 5. Monitor user activity logs for suspicious behavior, such as unusual photo collection creation or admin interface access patterns. 6. Educate administrators about the risk of clicking on untrusted links or interfaces that could trigger XSS payloads. 7. Consider implementing multi-factor authentication (MFA) for administrative accounts to reduce the impact of session hijacking. 8. Regularly audit and sanitize existing photo collection names to remove potentially malicious scripts.