Description
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 #80 within the `actions/ajax.php` endpoint. Due to insufficient input sanitization of the `userid` parameter, an authenticated attacker can execute arbitrary SQL queries, leading to full database disclosure and potential administrative account takeover. Version 5.5.3 #80 fixes the issue.
Published: 2026-03-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration
Action: Apply Patch
AI Analysis

Impact

ClipBucket v5 contains a time‑based blind SQL injection flaw in the actions/ajax.php endpoint. The issue stems from insufficient input sanitization of the userid parameter, allowing an authenticated attacker to craft payloads that cause delayed responses and reveal database contents. This weakness is classified as CWE‑89. The impact of exploitation is full database disclosure and potential administrative account takeover, as the attacker can execute arbitrary SQL queries against the backend database.

Affected Systems

The vulnerable product is ClipBucket version 5 from MacWarrior, as referenced by the vendor name and the CPE string cpe:2.3:a:oxygenz:clipbucket. The flaw exists in all releases before 5.5.3 #80. Version 5.5.3 #80 and later contain the fix.

Risk and Exploitability

The CVSS score is 8.8, placing the vulnerability in the high severity range. The EPSS score is less than 1%, indicating a low current probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attack requires authentication, meaning the threat is limited to users who can log in. An attacker can exploit the flaw by sending time‑based SQL payloads that induce measurable delays, allowing the attacker to recover data byte by byte. Automated tools that support blind SQL injection could be used if the attacker has the necessary access privileges.

Generated by OpenCVE AI on March 19, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClipBucket to version 5.5.3 or later to fix the injection vulnerability.
  • Verify the installed version after upgrading.
  • If upgrade is not immediately possible, restrict access to actions/ajax.php to trusted administrative users only and validate or sanitize the userid parameter on the server side.
  • Monitor web server logs for unusual query patterns or injection attempts and alert on suspicious activity.
  • Perform a security audit of other input points to ensure no similar injection vulnerabilities remain.

Generated by OpenCVE AI on March 19, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Oxygenz
Oxygenz clipbucket
CPEs cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*
Vendors & Products Oxygenz
Oxygenz clipbucket

Thu, 19 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Wed, 18 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 #80 within the `actions/ajax.php` endpoint. Due to insufficient input sanitization of the `userid` parameter, an authenticated attacker can execute arbitrary SQL queries, leading to full database disclosure and potential administrative account takeover. Version 5.5.3 #80 fixes the issue.
Title ClipBucket v5 has time-based Blind SQL Injection in ajax.php that leads to Data Exfiltration
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Macwarrior Clipbucket-v5
Oxygenz Clipbucket
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T17:47:53.606Z

Reserved: 2026-03-11T21:16:21.661Z

Link: CVE-2026-32321

cve-icon Vulnrichment

Updated: 2026-03-19T17:44:39.953Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T21:16:26.410

Modified: 2026-03-19T18:47:02.070

Link: CVE-2026-32321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:15Z

Weaknesses