Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /actions/subtitle_edit.php request used to change their title includes a number parameter which is vulnerable to SQL Injection. A boolean-based blind SQL injection can be used to exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #132.
Published: 2026-06-11
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ClipBucket version 5 allows authenticated users with video‑upload privileges to add and rename subtitle files. The POST /actions/subtitle_edit.php endpoint uses a number parameter that is vulnerable to boolean‑based blind SQL injection. By repeatedly querying this endpoint a malicious user can extract arbitrary database content, exposing sensitive data and potentially undermining data integrity. The flaw does not enable code execution, but it does provide unauthorized data disclosure.

Affected Systems

MacWarrior:clipbucket-v5, all releases prior to version 5.5.3 – #132. The defect was remediated in that release.

Risk and Exploitability

The CVSS score of 8.8 marks this vulnerability as high severity. EPSS information is unavailable, so the precise exploitation probability cannot be quantified, yet the presence of a standard SQL injection indicates a tangible risk. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated account with upload rights, and the attacker must perform a series of Boolean‑based requests to retrieve data.

Generated by OpenCVE AI on June 12, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to update to version 5.5.3 or later.
  • Restrict or disable access to subtitle_edit.php for untrusted users until the patch is applied.
  • Refactor the code to use parameterized queries and validate the number parameter to eliminate SQL injection susceptibility.

Generated by OpenCVE AI on June 12, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /actions/subtitle_edit.php request used to change their title includes a number parameter which is vulnerable to SQL Injection. A boolean-based blind SQL injection can be used to exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #132.
Title ClipBucket: Blind SQL Injection in subtitle_edit.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Macwarrior Clipbucket-v5
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T22:48:32.712Z

Reserved: 2026-05-12T01:48:40.453Z

Link: CVE-2026-45418

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T23:16:23.937

Modified: 2026-06-11T23:16:23.937

Link: CVE-2026-45418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T01:00:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')