Macwarrior Clipbucket-V5 vulnerabilities
28 known vulnerabilities affecting macwarrior/clipbucket-v5.
Total CVEs
28
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH9MEDIUM12
Vulnerabilities
Page 1 of 2
CVE-2026-42846P2CRITICALCVSS 9.8fixed in 5.5.3 - #1402026-06-11
CVE-2026-42846 [CRITICAL] CWE-78 CVE-2026-42846: ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly into shell commands without escaping then executed,
nvd
CVE-2026-45060P2CRITICALCVSS 9.8fixed in 5.5.3 - #1292026-06-11
CVE-2026-45060 [CRITICAL] CWE-89 CVE-2026-45060: ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #129, the actions/p
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #129, the actions/progress_video.php endpoint is vulnerable to blind SQL injection. Any unauthenticated user can exploit the ids parameter to execute SQL queries and exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #129.
nvd
CVE-2025-21624P2CRITICALCVSS 9.8fixed in 5.5.1 - 2392025-01-07
CVE-2025-21624 [CRITICAL] CWE-434 CVE-2025-21624: ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulne
ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker can upload a PHP script file instead of an image file, thus allowing a websh
nvd
CVE-2026-32321P3HIGHCVSS 8.8fixed in 5.5.3 - #802026-03-18
CVE-2026-32321 [HIGH] CWE-89 CVE-2026-32321: ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL inject
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 #80 within the `actions/ajax.php` endpoint. Due to insufficient input sanitization of the `userid` parameter, an authenticated attacker can execute arbitrary SQL queries, leading to full database disc
nvd
CVE-2026-21875P3CRITICALCVSS 9.8≤ 5.5.2-#1872026-01-08
CVE-2026-21875 [CRITICAL] CWE-89 CVE-2026-21875: ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attac
ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php
nvd
CVE-2025-62709P3HIGHCVSS 8.8v>= 5.5.2, < 5.5.2#1622025-11-20
CVE-2025-62709 [HIGH] CWE-640 CVE-2025-62709: ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to net
ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Because Host is a client-controlled header, an attacker can supply an arbitrary Host value. This all
nvd
CVE-2026-45418P3HIGHCVSS 8.8fixed in 5.5.3 - #1322026-06-11
CVE-2026-45418 [HIGH] CWE-89 CVE-2026-45418: ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authentic
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /actions/subtitle_edit.php request used to change their title includes a number parameter which is vulnerable to SQL In
nvd
CVE-2024-54136P3CRITICALCVSS 9.8v>= 5.5.1 Revision 141, < 5.5.1 Revision 2002024-12-06
CVE-2024-54136 [CRITICAL] CWE-502 CVE-2024-54136: ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 5.5.1 Revision 199
ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 5.5.1 Revision 199 and below is vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/upload.php where the user supplied input via collection get parameter is directly provided to unserialize function. As a result, it is possible for an ad
nvd
CVE-2025-21622P3CRITICALCVSS 9.1fixed in 5.5.1 - 2372025-01-07
CVE-2025-21622 [CRITICAL] CWE-22 CVE-2025-21622: ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a
ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a user can choose to upload and change their avatar at any time. During deletion, ClipBucket checks for the avatar_url as a filepath within the avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. There
nvd
CVE-2024-54135P3HIGHCVSS 8.8v>= 2.0, < 5.5.1 Revision 2002024-12-06
CVE-2024-54135 [HIGH] CWE-502 CVE-2024-54135: ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.
ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photo_upload.php within the decode_key function. User inputs were supplied to this function without sanitization via collection GET parameter and phot
nvd
CVE-2025-62429P3HIGHCVSS 7.2fixed in 5.5.2 #1472025-10-20
CVE-2025-62429 [HIGH] CWE-94 CVE-2025-62429: ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 #147, ClipBucket v5 i
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 #147, ClipBucket v5 is vulnerable to arbitrary PHP code execution. In /upload/admin_area/actions/update_launch.php, the "type" parameter from a POST request is embedded into PHP tags and executed. Proper sanitization is not performed, and by injecting malicious code an attac
nvd
CVE-2026-25728P3HIGHCVSS 7.5fixed in 5.5.3 - #402026-02-10
CVE-2026-25728 [HIGH] CWE-367 CVE-2026-25728: ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Tim
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location before validating them, creating a window where an attacker can exe
nvd
CVE-2025-64338P3CRITICALCVSS 9.0fixed in 5.5.2 - #1572025-11-07
CVE-2025-64338 [CRITICAL] CWE-79 CVE-2025-64338: ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authe
ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is rendered unsafely in the Admin → Manage Photos inter
nvd
CVE-2026-42847P3HIGHCVSS 7.1fixed in 5.5.3 - #1222026-05-14
CVE-2026-42847 [HIGH] CWE-89 CVE-2026-42847: ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #122, there is a critical S
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #122, there is a critical SQL Injection (SQLi) vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint admin_area/action_logs.php. The endpoint admin_area/action_logs.php reads $_GET['type'], stores it in $result_array['type'], and f
nvd
CVE-2025-64114P3MEDIUMCVSS 6.5fixed in 5.5.2-#1522025-11-06
CVE-2025-64114 [MEDIUM] CWE-89 CVE-2025-64114: ClipBucket v5 is an open source video sharing platform. Versions 5.5.2 - #151 and below allow authen
ClipBucket v5 is an open source video sharing platform. Versions 5.5.2 - #151 and below allow authenticated administrators with plugin management privileges to execute arbitrary SQL commands against the database through its ClipBucket Custom Fields plugin. The vulnerabilities require the Custom Fields plugin to be installed and accessible, and can on
nvd
CVE-2025-62424P3MEDIUMCVSS 6.5fixed in 5.5.2 - #1472025-10-17
CVE-2025-62424 [MEDIUM] CWE-22 CVE-2025-62424: ClipBucket is a web-based video-sharing platform. In ClipBucket version 5.5.2 - #146 and earlier, th
ClipBucket is a web-based video-sharing platform. In ClipBucket version 5.5.2 - #146 and earlier, the /admin_area/template_editor.php endpoint is vulnerable to path traversal. The validation of the file-loading path is inadequate, allowing authenticated administrators to read and write arbitrary files outside the intended template directory by insert
nvd
CVE-2025-21623P3HIGHCVSS 7.5fixed in 5.5.1 - 2382025-01-07
CVE-2025-21623 [HIGH] CWE-22 CVE-2025-21623: ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allow
ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service.
nvd
CVE-2025-62423P3HIGHCVSS 7.2≤ 5.5.2 - #1402025-10-16
CVE-2025-62423 [HIGH] CWE-89 CVE-2025-62423: ClipBucket V5 provides open source video hosting with PHP. In version5.5.2 - #140 and earlier, a Bli
ClipBucket V5 provides open source video hosting with PHP. In version5.5.2 - #140 and earlier, a Blind SQL injection vulnerability exists in the Admin Area’s “/admin_area/login_as_user.php” file. Exploiting this vulnerability requires access privileges to the Admin Area.
nvd
CVE-2026-28354P3MEDIUMCVSS 6.5fixed in 5.5.3 - #592026-02-27
CVE-2026-28354 [MEDIUM] CWE-639 CVE-2026-28354: ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add item (/actions/add_to_collection.php) due to missing authorization checks and delete item (/manage_c
nvd
CVE-2025-65113P3MEDIUMCVSS 6.5fixed in 5.5.2 - #1642025-11-29
CVE-2025-65113 [MEDIUM] CWE-770 CVE-2025-65113: ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 - #164, an authorizat
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 - #164, an authorization bypass vulnerability in the AJAX flagging system allows any unauthenticated user to flag any content (users, videos, photos, collections) on the platform. This can lead to mass flagging attacks, content disruption, and moderation system abuse. Thi
nvd
1 / 2Next →