CRITICAL🇵🇱 Wersja polska

CVE-2025-67418

CVSS 9.8v3.1pub. 2025-12-22upd. 2026-07-05

ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application.

🤖 AI Analysis
How it works

ClipBucket 5.5.2 is deployed with default, hardcoded credentials for the administration panel (CWE-798 — use of hardcoded credentials). Without any prior authentication, an attacker can use these known, publicly available credentials to gain access to the administrative interface. No user interaction or knowledge of the target environment specifics is required — network access to the application management panel is sufficient.

Impact

Attacker gains full administrative control over the application, which may lead to account takeover, data leaks, content modification, and potential further compromise of server infrastructure.

Mitigation & patch

Default administrator credentials must be changed immediately after each installation or application update. It is recommended to apply patches available from the vendor according to references. Until the update is applied, access to the administration panel should be restricted exclusively to trusted IP addresses using a firewall or other access control mechanisms.

Who is affected

ClipBucket version 5.5.2 (Oxygenz company product)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oxygenz Clipbucket

    APP
    Oxygenz
    5.3 – 5.5.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-25728CRITICAL9.3PL ✓ten sam produkt

TOCTOU Race Condition w ClipBucket umożliwia wykonanie kodu PHP

CVE-2026-21875CRITICAL9.8PL ✓ten sam produkt

Blind SQL Injection w ClipBucket v5 — sekcja komentarzy kanału

CVE-2025-21624CRITICAL9.8PL ✓ten sam produkt

ClipBucket V5 — nieograniczony upload plików PHP przez funkcję playlist

CVE-2024-54135CRITICAL9.8PL ✓ten sam produkt

PHP Deserialization w ClipBucket V5 — zdalne wykonanie kodu

CVE-2024-54136CRITICAL9.8PL ✓ten sam produkt

PHP Deserialization w ClipBucket V5 umożliwia zdalne wykonanie kodu