CVE-2026-21875
Unknown Unknown - Not Provided
Blind SQL Injection in ClipBucket v5 Channel Comment Function

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21875
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
clipbucket clipbucket to 5.5.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21875 is a critical blind SQL injection vulnerability in the ClipBucket v5 video sharing platform, specifically in the channel comments feature. It occurs because the obj_id parameter in a POST request to /actions/ajax.php is used directly in an SQL query without proper validation or sanitization. This allows an attacker to inject SQL code, such as '1' or 1=1-- -', to manipulate the database query. The vulnerability is blind boolean-based SQL injection, meaning attackers can infer database information without seeing direct output. It can be exploited remotely without authentication if anonymous comments are enabled, or with authentication if disabled. [1]

Impact Analysis

This vulnerability can have severe impacts including unauthorized extraction of sensitive database information, compromising the confidentiality, integrity, and availability of the system. Attackers can remotely exploit this vulnerability without any privileges if anonymous comments are enabled, potentially leading to full database compromise and data leakage. [1]

Detection Guidance

This vulnerability can be detected by sending crafted POST requests to the /actions/ajax.php endpoint with the obj_id parameter containing SQL injection payloads such as "1' or 1=1-- -" and observing the application's behavior for signs of blind SQL injection. For example, using curl to send a test POST request: curl -X POST -d "obj_id=1' or 1=1-- -" https://your-clipbucket-site/actions/ajax.php If the response behavior differs from normal input, it may indicate vulnerability. Automated SQL injection testing tools can also be used to test this endpoint and parameter. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Disable anonymous comments if enabled, as exploitation requires authentication otherwise. 2) Restrict access to the /actions/ajax.php endpoint to trusted users or networks. 3) Monitor and block suspicious POST requests containing SQL injection patterns targeting the obj_id parameter. 4) Apply any available patches or updates; note that the vulnerability was patched in ClipBucket v5.5.2 (#191). Until patching, these mitigations can reduce risk. [1]

Compliance Impact

This vulnerability allows attackers to perform blind SQL injection attacks that can lead to unauthorized access and extraction of sensitive database information. Such a compromise of sensitive data can result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to potential data breaches and loss of confidentiality, integrity, and availability of protected data. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart