Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 fixes the issue.
Published: 2026-02-27
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Collection name
Action: Patch
AI Analysis

Impact

ClipBucket v5 allows a normal authenticated user to store a malicious script in the name of a collection. The payload is executed when an administrator loads or edits the collection, resulting in stored cross‑site scripting that runs within the admin’s browser context. This can lead to theft of authentication cookies, session hijacking, or defacement of the admin interface, thereby compromising the confidentiality and integrity of sensitive administrative sessions.

Affected Systems

The vulnerability is present in MacWarrior’s ClipBucket v5, affecting any installation running a version earlier than 5.5.3 #59. The affected product is the open‑source video sharing platform delivered under the CPE for oxygenz:clipbucket. Versions prior to the 5.5.3 #59 release are susceptible.

Risk and Exploitability

The base CVSS score is 2.0, indicating low severity. The EPSS score is below 1 %, suggesting a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attack execution requires the attacker to be an authenticated regular user to store the payload, and the triggering action demands an admin to view or edit the malicious collection name, meaning the exploit depends on privileged access to the admin interface and user input handling in the collection name field.

Generated by OpenCVE AI on April 16, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClipBucket to version 5.5.3 #59 or later to apply the vendor fix for the stored XSS issue.
  • Ensure that collection names are sanitized or escaped before rendering to prevent injection of executable script.
  • Restrict the ability to create or rename collections to trusted administrative roles and audit input validation to mitigate future XSS risks.

Generated by OpenCVE AI on April 16, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Oxygenz
Oxygenz clipbucket
CPEs cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*
Vendors & Products Oxygenz
Oxygenz clipbucket
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 fixes the issue.
Title ClipBucket v5 has Stored XSS via Collection name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P'}

Subscriptions

Macwarrior Clipbucket-v5
Oxygenz Clipbucket
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:24:08.947Z

Reserved: 2026-02-17T01:41:24.607Z

Link: CVE-2026-26997

cve-icon Vulnrichment

Updated: 2026-02-27T20:24:05.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:37.503

Modified: 2026-03-03T20:10:04.927

Link: CVE-2026-26997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses