CRITICAL🇵🇱 Wersja polska

CVE-2025-21624

CVSS 9.8v3.1pub. 2025-01-07upd. 2025-09-05

ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker can upload a PHP script file instead of an image file, thus allowing a webshell or other malicious files to be stored and executed on the server. This attack vector exists in both the admin area and low-level user area. This vulnerability is fixed in 5.5.1 - 239.

🤖 AI Analysis
How it works

The playlist management functionality in ClipBucket V5 allows uploading cover images, however the application does not properly verify the type of uploaded file. An attacker can upload a file with a PHP script extension or content instead of a graphics file. After the file is saved on the server, it can be directly invoked through a web browser, resulting in code execution on the server side (webshell). The attack vector is accessible both from the administrative panel and from a regular user account.

Impact

An attacker can gain full control of the server by uploading and executing a webshell or other malicious code, threatening the confidentiality, integrity, and availability of the entire system.

Mitigation & patch

ClipBucket V5 should be updated to version 5.5.1 - 239 or newer, in which the vulnerability has been patched. The patch is available in the vendor's GitHub repository (commit 893bfb0f1236c4a59b5e2843ab8d27a1e491b12b).

Who is affected

ClipBucket V5 in versions prior to 5.5.1 - 239

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oxygenz Clipbucket

    APP
    Oxygenz
    5.3 – 5.5.1-239 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-25728CRITICAL9.3PL ✓ten sam produkt

TOCTOU Race Condition w ClipBucket umożliwia wykonanie kodu PHP

CVE-2026-21875CRITICAL9.8PL ✓ten sam produkt

Blind SQL Injection w ClipBucket v5 — sekcja komentarzy kanału

CVE-2025-67418CRITICAL9.8PL ✓ten sam produkt

ClipBucket 5.5.2 — hardcoded domyślne dane logowania w panelu admina

CVE-2024-54135CRITICAL9.8PL ✓ten sam produkt

PHP Deserialization w ClipBucket V5 — zdalne wykonanie kodu

CVE-2024-54136CRITICAL9.8PL ✓ten sam produkt

PHP Deserialization w ClipBucket V5 umożliwia zdalne wykonanie kodu