CVE-2025-62429
CVE-2025-62429 is a high-severity vulnerability in Oxygenz Clipbucket with a CVSS 3.x base score of 7.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-94.
Key facts
- Severity: High (CVSS 3.x base score 7.2)
- EPSS exploit prediction: 1% (51st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-35079
- Weakness: CWE-94
- Affected product: Oxygenz Clipbucket
- Published:
- Last modified:
Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 #147, ClipBucket v5 is vulnerable to arbitrary PHP code execution. In /upload/admin_area/actions/update_launch.php, the "type" parameter from a POST request is embedded into PHP tags and executed. Proper sanitization is not performed, and by injecting malicious code an attacker can execute arbitrary PHP code. This allows an attacker to achieve RCE. This issue has been resolved in version 5.5.2 #147.
Frequently asked questions
- What is CVE-2025-62429?
- ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 #147, ClipBucket v5 is vulnerable to arbitrary PHP code execution. In /upload/admin_area/actions/update_launch.php, the "type" parameter from a POST request is embedded into PHP tags and executed. Proper sanitization is not performed, and by injecting malicious code an attacker can execute arbitrary PHP code. This allows an attacker to achieve RCE. This issue has been resolved in version 5.5.2 #147.
- How severe is CVE-2025-62429?
- CVE-2025-62429 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-62429 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (51st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-62429?
- CVE-2025-62429 affects Oxygenz Clipbucket. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-62429?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-62429 have an EU (EUVD) identifier?
- Yes. CVE-2025-62429 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-35079.
- When was CVE-2025-62429 published?
- CVE-2025-62429 was published on 2025-10-20 and last updated on 2026-06-17.
References
- https://github.com/MacWarrior/clipbucket-v5/commit/e81bac602c871bb1ad971884003a3a496a2ab50b
- https://github.com/MacWarrior/clipbucket-v5/releases/tag/5.5.2-%23147
- https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-3x4g-x3gv-rjmq
Affected products (1)
- cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*
More vulnerabilities in Oxygenz Clipbucket
- CVE-2026-21875 — Critical (CVSS 9.8): ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform…
- CVE-2025-67418 — Critical (CVSS 9.8): ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with…
- CVE-2025-21624 — Critical (CVSS 9.8): ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in…
- CVE-2024-54136 — Critical (CVSS 9.8): ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 5.5.1 Revision 199 and below is…
- CVE-2024-54135 — Critical (CVSS 9.8): ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are…
- CVE-2025-64338 — Critical (CVSS 9.0): ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular…
All CVEs affecting Oxygenz Clipbucket →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.