ClipBucket version 5 up to 5.5.3-#129 contains a blind SQL injection flaw in the progress_video.php endpoint. The vulnerability is triggered by manipulating the ids parameter, enabling an unauthenticated user to execute arbitrary SQL statements and read sensitive database content. This weakness is a classic case of CWE‑89, where input is incorporated directly into SQL queries without proper validation or sanitization. The impact is the potential loss of confidentiality through data exfiltration and the risk of further compromise should an attacker move laterally.

Any deployment of ClipBucket v5 whose installed version is older than 5.5.3-#129 is affected. The vulnerability applies specifically to the progress_video.php handler under the actions/progress_video directory. There is no known patch available within those older releases; the issue was fixed in v5.5.3-#129.

The reported CVSS score of 9.8 places this flaw in the critical range, suggesting that exploitation can be devastating. The EPSS score is not reported, so exact real‑world exploitation probability is unknown, but the lack of a KEV listing indicates no confirmed public exploits yet. The attack vector appears to be unauthenticated HTTPS or HTTP requests to the vulnerable endpoint, meaning a remote attacker can trigger the injection simply by requesting the page with a crafted ids parameter. Once achieved, the attacker obtains database read access, potentially pulling user credentials, video metadata, and other confidential information.