Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched in version 5.5.3 - #133.
Published: 2026-06-11
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ClipBucket v5 contains an Insecure Direct Object Reference flaw in the subtitles editor that allows an authenticated user with normal privileges to edit, rename or delete another user’s subtitles. The attacker can upload new subtitle files, modify the filenames or delete existing ones, effectively tampering with the video’s metadata and potentially inserting malicious content. This represents a data integrity violation and could be used to influence user experience or hide malicious language in subtitles.

Affected Systems

The vulnerability affects the MacWarrior ClipBucket v5 platform prior to version 5.5.3‑#133. The affected product is the open‑source video sharing application released by MacWarrior. Users running any version of ClipBucket v5 older than 5.5.3 are susceptible, while newer releases include the fix.

Risk and Exploitability

The flaw has a CVSS score of 6.5, indicating moderate severity. EPSS data is not available, but KEV does not list this vulnerability, suggesting it is not known to be widely exploited. The likely attack vector requires an authenticated user to act against another user’s subtitles; an attacker would need valid credentials but can leverage ordinary user accounts. Because the vulnerability is an authorization bypass, any authenticated user can discover and exploit it without additional preconditions.

Generated by OpenCVE AI on June 12, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClipBucket to version 5.5.3 or later, which implements proper authorization checks for the subtitle editor.
  • Revoke the ability for non‑administrator accounts to edit or delete subtitles, enforcing exclusive rights for trusted users.
  • Monitor access logs for unexpected subtitle modifications and perform periodic reviews of user permissions to detect unauthorized activity.

Generated by OpenCVE AI on June 12, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched in version 5.5.3 - #133.
Title ClipBucket: IDOR in videos subtitle editor
Weaknesses CWE-639
CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Macwarrior Clipbucket-v5
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T22:53:17.675Z

Reserved: 2026-05-18T22:54:18.272Z

Link: CVE-2026-47238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T23:16:24.073

Modified: 2026-06-11T23:16:24.073

Link: CVE-2026-47238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T00:30:07Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-863

    Incorrect Authorization