Description
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #122, there is a critical SQL Injection (SQLi) vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint admin_area/action_logs.php. The endpoint admin_area/action_logs.php reads $_GET['type'], stores it in $result_array['type'], and forwards it into fetch_action_logs(), where the value is concatenated directly into a SQL WHERE condition on action_type without parameterization. This allows UNION-based SQL injection and direct data exfiltration from the database. This vulnerability is fixed in 5.5.3 - #122.
Published: 2026-05-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in ClipBucket version 5, where unauthenticated but authenticated admin users can manipulate the 'type' GET parameter on the admin_area/action_logs.php endpoint. The input is concatenated directly into a SQL WHERE clause without parameterization, enabling UNION-based SQL injection. This allows an attacker with administrative credentials to exfiltrate arbitrary data from the database, compromising confidentiality and potentially integrity of stored information.

Affected Systems

ClipBucket, version 5.x before 5.5.3. The bug is present in all builds prior to the 5.5.3 release that fixed the issue. Administrators using the outdated platform should verify their installation version and apply updates accordingly.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. No EPSS score is available, so precise exploitation probability cannot be quantified, but the vulnerability is not listed in CISA KEV. The likely attack vector requires authenticated access to the admin interface; an attacker who gains or impersonates an administrator can directly inject malicious SQL through the vulnerable parameter.

Generated by OpenCVE AI on May 14, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClipBucket to version 5.5.3 or later, which contains the fix for the SQL injection in admin_area/action_logs.php.
  • If an upgrade cannot be performed immediately, restrict network access to the admin interface and enforce strict authentication so that only trusted administrators can reach the vulnerable endpoint.
  • Apply input validation or parameterization to the 'type' parameter on admin_area/action_logs.php, ensuring that any user-supplied value is safely escaped or bound as a parameter before being used in SQL queries.

Generated by OpenCVE AI on May 14, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Thu, 14 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #122, there is a critical SQL Injection (SQLi) vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint admin_area/action_logs.php. The endpoint admin_area/action_logs.php reads $_GET['type'], stores it in $result_array['type'], and forwards it into fetch_action_logs(), where the value is concatenated directly into a SQL WHERE condition on action_type without parameterization. This allows UNION-based SQL injection and direct data exfiltration from the database. This vulnerability is fixed in 5.5.3 - #122.
Title ClipBucket: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L'}

Subscriptions

Macwarrior Clipbucket-v5
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T20:45:54.218Z

Reserved: 2026-04-30T16:44:48.377Z

Link: CVE-2026-42847

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-14T21:16:46.393

Modified: 2026-05-15T14:55:57.710

Link: CVE-2026-42847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:30:25Z

Weaknesses