CVE-2025-64339 is a stored Cross-site Scripting (XSS) vulnerability affecting ClipBucket v5, an open source video sharing platform widely used for hosting and sharing video content. The vulnerability resides in the Manage Playlists feature, specifically within the Playlist Name field, in versions 5.5.2-#146 and earlier. An authenticated user with low privileges can create or modify a playlist name to include malicious HTML or JavaScript code. Because the application fails to properly neutralize or escape this input before rendering it on playlist detail and listing pages, the injected script executes in the context of any user viewing those pages, including administrators. This can lead to theft of session cookies, defacement, or execution of arbitrary actions on behalf of the victim user. The vulnerability requires the attacker to be authenticated but does not require elevated privileges, increasing the attack surface. The CVSS 4.0 vector indicates no network authentication is needed, low attack complexity, no privileges required, but user interaction is necessary (viewing the malicious playlist). The vulnerability does not affect confidentiality or availability directly but has high impact on integrity and user trust. The issue was publicly disclosed on November 7, 2025, and fixed in version 5.5.2-#147. No known exploits have been reported in the wild yet, but the vulnerability is straightforward to exploit given the nature of stored XSS. Organizations using ClipBucket v5 should upgrade promptly to mitigate risk.

For European organizations using ClipBucket v5, this vulnerability poses a significant risk to the confidentiality and integrity of user sessions and data. Attackers exploiting this flaw can execute arbitrary JavaScript in the browsers of users, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim’s privileges. This is particularly concerning for administrators who may have elevated rights, enabling attackers to escalate their control over the platform. The stored nature of the XSS means the malicious payload persists and can affect multiple users over time, increasing the scope of impact. Video sharing platforms are often used by media companies, educational institutions, and enterprises for internal and external content distribution, so exploitation could lead to reputational damage, data leakage, and disruption of services. Additionally, attackers could use this vector as a foothold for further attacks within the organization’s network. Given the high CVSS score and the ease of exploitation by low-privileged users, the threat is material and should be addressed urgently.

1. Upgrade ClipBucket v5 installations to version 5.5.2-#147 or later, where the vulnerability is patched. 2. If immediate upgrade is not possible, implement input validation and output encoding on the Playlist Name field to neutralize HTML and JavaScript content. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on playlist pages. 4. Conduct regular security audits and penetration testing focusing on user input fields to detect similar injection flaws. 5. Restrict playlist creation and modification permissions to trusted users only, minimizing exposure. 6. Educate administrators and users to recognize suspicious playlist names or unexpected behaviors. 7. Monitor logs for unusual activity related to playlist management and user sessions. 8. Consider implementing web application firewalls (WAF) with rules to detect and block XSS payloads targeting ClipBucket. These measures together reduce the risk of exploitation and limit potential damage.