Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #122, there is a critical SQL Injection (SQLi) vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint admin_area/action_logs.php. The endpoint admin_area/action_logs.php reads $_GET['type'], stores it in $result_array['type'], and forwards it into fetch_action_logs(), where the value is concatenated directly into a SQL WHERE condition on action_type without parameterization. This allows UNION-based SQL injection and direct data exfiltration from the database. This vulnerability is fixed in 5.5.3 - #122.
AnalysisAI
SQL injection in ClipBucket v5's admin panel allows authenticated administrators to exfiltrate database contents via the action_logs.php endpoint. The type parameter is directly concatenated into SQL queries without parameterization, enabling UNION-based attacks to extract sensitive data including user credentials, video metadata, and system configuration. Affects all versions prior to 5.5.3 - #122. No active exploitation confirmed (not in CISA KEV), but the technical barrier is low given the straightforward injection point and admin access requirement.
Technical ContextAI
ClipBucket v5 is a PHP-based open-source video sharing platform similar to YouTube. The vulnerability stems from CWE-89 (SQL Injection) in the admin_area/action_logs.php file, where user-supplied input from the 'type' GET parameter flows through $result_array['type'] into the fetch_action_logs() function. This function constructs SQL queries by directly concatenating the untrusted input into a WHERE clause filtering on action_type column, bypassing PHP's prepared statement protections. UNION-based SQL injection techniques allow attackers to append arbitrary SELECT statements to exfiltrate data from any database table accessible to the ClipBucket database user, typically including user accounts, uploaded content metadata, system settings, and potentially credentials for integrated services.
RemediationAI
Upgrade ClipBucket v5 to version 5.5.3 - #122 or later, which implements parameterized SQL queries to prevent injection in the action_logs.php endpoint. The vendor-released patch is available through the official GitHub repository at https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-x33j-5cqg-vrrc. For environments unable to immediately upgrade, implement defense-in-depth controls: restrict admin panel access to specific IP addresses via web server configuration (Apache .htaccess allow/deny rules or nginx location blocks), enforce multi-factor authentication for all admin accounts to prevent credential compromise, enable database query logging to detect UNION-based injection attempts, and apply least-privilege database permissions so the ClipBucket database user cannot access system tables or perform administrative operations. Note that IP restrictions may impact legitimate remote administration, MFA adds operational overhead for admin workflows, and query logging increases storage requirements and may affect performance on high-traffic installations. Web application firewall rules detecting SQL keywords in the type parameter provide detection but can be bypassed with encoding techniques and should not replace patching.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30476