CVE-2025-62709 – ClipBucket v5 is vulnerable to password reset link manipulation

CVE ID : CVE-2025-62709

Published : Nov. 20, 2025, 4:50 p.m. | 24 minutes ago

Description : ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Because Host is a client-controlled header, an attacker can supply an arbitrary Host value. This allows an attacker to cause password-reset links (sent by forget.php) to be generated with the attacker’s domain. If a victim follows that link and enters their activation code on the attacker-controlled domain, the attacker can capture the code and use it to reset the victim’s password and take over the account. This issue has been patched in version 5.5.2#162.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…