Description
ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication.
Published: 2026-01-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL Injection
Action: Assess Impact
AI Analysis

Impact

ClipBucket v5, versions 5.5.2-#187 and older, contains a blind SQL injection flaw that allows an attacker to supply a specially crafted value for the obj_id parameter in the /actions/ajax.php endpoint. The value is concatenated directly into a database count query without validation, enabling attackers to read or manipulate database content. This results in serious confidentiality compromise, with potential for further escalation if additional weaknesses exist.

Affected Systems

All installations of the ClipBucket v5 content management system running version 5.5.2-#187 or earlier are affected. The vulnerability is present in the default open source package and does not require any custom configuration changes.

Risk and Exploitability

The vulnerability is rated CVSS 9.8, indicating a high severity with full threat impact. The EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw through web traffic, potentially requiring authenticated access to the comment posting interface; the vector is inferred to be web-based (HTTP POST). Once compromised, attackers can extract sensitive data and potentially execute additional commands within the database.

Generated by OpenCVE AI on April 18, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Await an official vendor patch or upgrade to a version newer than 5.5.2-#187 once available.
  • If a patch is unavailable, disable the channel comment functionality or restrict the /actions/ajax.php endpoint to a minimal user group to reduce exposure.
  • Implement input validation on the obj_id field, allowing only numeric values, or employ a web application firewall to block SQL injection patterns before they reach the application.

Generated by OpenCVE AI on April 18, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Oxygenz
Oxygenz clipbucket
CPEs cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*
Vendors & Products Oxygenz
Oxygenz clipbucket

Thu, 08 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Clipbucket
Clipbucket clipbucket
Vendors & Products Clipbucket
Clipbucket clipbucket

Thu, 08 Jan 2026 00:00:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication.
Title ClipBucket v5 Vulnerable to Blind SQL Injection through Channel Comments
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Clipbucket Clipbucket
Oxygenz Clipbucket
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T19:13:03.740Z

Reserved: 2026-01-05T16:44:16.369Z

Link: CVE-2026-21875

cve-icon Vulnrichment

Updated: 2026-01-08T19:12:53.738Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T00:16:00.457

Modified: 2026-01-27T19:05:52.837

Link: CVE-2026-21875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses