CVE-2025-62709

Name of the Vulnerable Software and Affected Versions ClipBucket versions prior to 5.5.2#162

Description ClipBucket is a video sharing platform. A flaw in version 5.5.2 allows an attacker to control the server URL due to a dynamic build from the HTTP Host header when the base url configuration is not set. This enables an attacker to manipulate password-reset links generated by the forget.php script, causing them to point to the attacker’s domain. If a victim follows the malicious link and enters their activation code on the attacker’s domain, the attacker can capture the code and reset the victim’s password, leading to account takeover. The vulnerable component is network.class.php. The application builds the server URL from the client-controlled Host header.

Recommendations Update to ClipBucket version 5.5.2#162 or later.