Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched in version 5.5.3 - #133.
Published: 2026-06-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ClipBucket v5 contains an Insecure Direct Object Reference flaw in the subtitles editor that allows an authenticated user with normal privileges to edit, rename or delete another user’s subtitles. The attacker can upload new subtitle files, modify the filenames or delete existing ones, effectively tampering with the video’s metadata and potentially inserting malicious content. This represents a data integrity violation and could be used to influence user experience or hide malicious language in subtitles.

Affected Systems

The vulnerability affects the MacWarrior ClipBucket v5 platform prior to version 5.5.3‑#133. The affected product is the open‑source video sharing application released by MacWarrior. Users running any version of ClipBucket v5 older than 5.5.3 are susceptible, while newer releases include the fix.

Risk and Exploitability

The flaw has a CVSS score of 6.5, indicating moderate severity. EPSS data is not available, but KEV does not list this vulnerability, suggesting it is not known to be widely exploited. The likely attack vector requires an authenticated user to act against another user’s subtitles; an attacker would need valid credentials but can leverage ordinary user accounts. Because the vulnerability is an authorization bypass, any authenticated user can discover and exploit it without additional preconditions.

Generated by OpenCVE AI on June 12, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClipBucket to version 5.5.3 or later, which implements proper authorization checks for the subtitle editor.
  • Revoke the ability for non‑administrator accounts to edit or delete subtitles, enforcing exclusive rights for trusted users.
  • Monitor access logs for unexpected subtitle modifications and perform periodic reviews of user permissions to detect unauthorized activity.

Generated by OpenCVE AI on June 12, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched in version 5.5.3 - #133.
Title ClipBucket: IDOR in videos subtitle editor
Weaknesses CWE-639
CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Macwarrior Clipbucket-v5
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-13T02:47:13.973Z

Reserved: 2026-05-18T22:54:18.272Z

Link: CVE-2026-47238

cve-icon Vulnrichment

Updated: 2026-06-13T02:47:01.212Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T23:16:24.073

Modified: 2026-06-13T04:17:32.580

Link: CVE-2026-47238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T00:30:07Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-863

    Incorrect Authorization