ClipBucket v5
CVE-2026-47238
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
PR:L overrides the provided PR:N because description explicitly requires an authenticated user; C:N as no data disclosure is described.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched in version 5.5.3 - #133.
AnalysisAI
ClipBucket v5's subtitle management feature lacks ownership verification, enabling any authenticated user to upload, rename, or delete subtitle tracks on videos belonging to other users. All releases prior to version 5.5.3 - #133 (CPE: cpe:2.3:a:macwarrior:clipbucket-v5) are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session as a normal (non-admin) user on the target ClipBucket v5 instance - registration must be open or the attacker must have obtained credentials. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | A notable discrepancy exists between the provided CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N) and the vulnerability description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a standard low-privilege account on a ClipBucket v5 instance enumerates subtitle or video IDs (predictable integer sequences or accessible metadata) belonging to other users, then issues HTTP requests to the subtitle management endpoint using those IDs to rename, replace, or delete the target's subtitle tracks. No POC has been identified, but the attack requires only standard HTTP tooling and a valid session cookie. … |
| Remediation | Upgrade ClipBucket v5 to version 5.5.3 - #133 or later, which introduces the missing ownership authorization check on subtitle management endpoints. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote command injection in ClipBucket v5 prior to version 5.5.3 - #140 allows authenticated users to execute arbitrary
Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate
Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges
SQL wildcard character injection in ClipBucket v5's subtitle editing endpoint allows authenticated users to overwrite al
Share
External POC / Exploit Code
Leaving vuln.today