Description
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SSRF can be triggered, causing GET requests to be sent to internal servers. An attacker can exploit this to scan the internal network. Even a regular (non-privileged) user can carry out the attack.
Published: 2026-02-12
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Internal Network Enumeration via SSRF
Action: Patch Now
AI Analysis

Impact

The flaw resides in the remote play feature of ClipBucket v5, where users can create video entries that reference external video URLs without uploading the video files to the server. By providing a URL that points to an internal network host, the server triggers an SSRF, sending GET requests to internal services. This issue appears in all releases prior to 5.5.3, including earlier sub‑releases such as 5.5.2.#45.

Affected Systems

Affected systems are deployments of the ClipBucket v5 open‑source video sharing platform from MacWarrior, specifically every release before 5.5.3. The listed product is clipbucket‑v5, and the vulnerability applies to all code versions before the 5.5.3 patch.

Risk and Exploitability

The risk is moderate, with a CVSS 3.1 score of 5.0, but the EPSS probability is below 1 %, indicating a low likelihood of exploitation. The flaw is exploitable by any user who can access the remote play page, allowing internal network enumeration but not direct code execution. Because the vulnerability is not in the CISA KEV catalog and no public exploit is known, the most effective defense is to apply the 5.5.3 upgrade or otherwise block internal destination addresses.

Generated by OpenCVE AI on April 17, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ClipBucket to version 5.5.3 or later, which removes the SSRF in remote video URL handling.
  • If an upgrade cannot be performed immediately, disable or restrict the remote video URL feature and enforce a whitelist that excludes internal IP ranges such as 10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/12.
  • Harden network segmentation or firewall rules so that internal services are not reachable from the server hosting ClipBucket.

Generated by OpenCVE AI on April 17, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Oxygenz
Oxygenz clipbucket
CPEs cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*
Vendors & Products Oxygenz
Oxygenz clipbucket

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Thu, 12 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SSRF can be triggered, causing GET requests to be sent to internal servers. An attacker can exploit this to scan the internal network. Even a regular (non-privileged) user can carry out the attack.
Title ClipBucket v5 enables internal network scans via an SSRF vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Macwarrior Clipbucket-v5
Oxygenz Clipbucket
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T20:48:51.460Z

Reserved: 2026-02-09T17:41:55.860Z

Link: CVE-2026-26005

cve-icon Vulnrichment

Updated: 2026-02-12T20:48:33.105Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T21:16:03.173

Modified: 2026-02-18T14:59:54.727

Link: CVE-2026-26005

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses