EUVD-2026-12960Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 #80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute arbitrary SQL queries, leading to full database disclosure and potential administrative account takeover. Version 5.5.3 #80 fixes the issue.
AnalysisAI
An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | ClipBucket versions prior to 5.5.3 #80. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS v3.1 score of 8.8 (High) reflects significant risk with a network attack vector requiring low complexity and only low-level privileges (authenticated user) with no user interaction needed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker with low-privilege credentials on a ClipBucket installation crafts malicious SQL payloads in the userid parameter when making requests to the actions/ajax.php endpoint. Using time-based blind SQL injection techniques, the attacker systematically extracts sensitive data from the database by observing response timing differences, eventually obtaining administrator credentials and sensitive user information. … |
| Remediation | Upgrade ClipBucket v5 to version 5.5.3 #80 or later, which contains the fix for this SQL injection vulnerability as documented in the GitHub security advisory at https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-2757-6cp4-v7xx. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all ClipBucket v5 deployments and confirm current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission
Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar C
Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate
DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.
SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitra
Share
External POC / Exploit Code
Leaving vuln.today