Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly into shell commands without escaping then executed, so any shell metacharacter in the URL is interpreted. This results in arbitrary command execution. This issue has been patched in version 5.5.3 - #140.
Published: 2026-06-11
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ClipBucket’s Remote Play feature permitted any authenticated user to import an external video URL, concatenating that URL directly into shell commands without escaping. An attacker can inject shell metacharacters in the URL, causing arbitrary shell commands to run with the privileges of the web application. This flaw allows full remote code execution on the host, a classic process‑control vulnerability identified as CWE‑78.

Affected Systems

Any deployment of MacWarrior’s ClipBucket v5 that is running any version prior to 5.5.3 – #140 is affected. The patch added in 5.5.3 resolves the command‑injection issue.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity. No EPSS data is available, so the likelihood of exploitation cannot be quantified here, but the defect exists in the web interface and can be triggered by any authenticated user. It is not listed in CISA’s KEV catalog. An attacker must first authenticate to the application (or obtain credentials) and then supply a crafted URL via the Remote Play interface. Once activated, the attacker can execute arbitrary commands on the server, compromising confidentiality, integrity, and availability of the entire system.

Generated by OpenCVE AI on June 12, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClipBucket to version 5.5.3 or later to apply the vendor patch.
  • If upgrading is not immediately possible, disable the Remote Play feature by removing or commenting out the associated endpoint or configuration option in ClipBucket’s code.
  • Enforce strict input validation and sanitization on the video import URL parameter, ensuring that no shell metacharacters are allowed, or use safe shell command execution functions that escape parameters.

Generated by OpenCVE AI on June 12, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly into shell commands without escaping then executed, so any shell metacharacter in the URL is interpreted. This results in arbitrary command execution. This issue has been patched in version 5.5.3 - #140.
Title ClipBucket: Remote Play URL Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Macwarrior Clipbucket-v5
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T22:49:58.523Z

Reserved: 2026-04-30T16:44:48.377Z

Link: CVE-2026-42846

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T23:16:23.203

Modified: 2026-06-11T23:16:23.203

Link: CVE-2026-42846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T01:00:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')