CVE-2026-45418
Deferred Deferred - Pending Action

SQL Injection in ClipBucket Video Sharing Platform

Vulnerability report for CVE-2026-45418, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /actions/subtitle_edit.php request used to change their title includes a number parameter which is vulnerable to SQL Injection. A boolean-based blind SQL injection can be used to exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #132.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
clipbucket clipbucket to 5.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ClipBucket v5, an open source video sharing platform. Before version 5.5.3 - #132, any authenticated user who can upload videos could add multiple subtitles from different files and change their titles. The POST request to /actions/subtitle_edit.php, which is used to change subtitle titles, includes a number parameter that is vulnerable to SQL Injection. Specifically, a boolean-based blind SQL injection can be exploited to extract sensitive data from the database.

Impact Analysis

The vulnerability allows an authenticated user with video upload permissions to perform a boolean-based blind SQL injection attack. This can lead to unauthorized access to sensitive data stored in the database. Additionally, the CVSS score of 8.8 indicates a high severity impact, including potential compromise of confidentiality, integrity, and availability of the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ClipBucket to version 5.5.3 - #132 or later, where the SQL Injection issue in the subtitle_edit.php endpoint has been patched.

Compliance Impact

The vulnerability in ClipBucket v5 prior to version 5.5.3 allows authenticated users to perform a boolean-based blind SQL injection, which can be used to exfiltrate sensitive data.

Such unauthorized access and potential data exfiltration can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of sensitive personal and health information.

Therefore, this vulnerability could negatively impact compliance with these standards by exposing sensitive data to unauthorized parties.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing POST requests to the /actions/subtitle_edit.php endpoint, specifically looking at the 'number' parameter in the request body for signs of SQL injection attempts.

Since the vulnerability is a boolean-based blind SQL injection in the 'number' parameter, detection can involve sending crafted payloads to observe differences in application behavior or response times.

  • Use tools like curl or Burp Suite to send POST requests with SQL injection payloads in the 'number' parameter to test for vulnerability.
  • Example curl command to test for SQL injection (replace URL and authentication as needed):
  • curl -X POST -d "number=1' AND 1=1-- " -b cookies.txt https://targetsite.com/actions/subtitle_edit.php
  • curl -X POST -d "number=1' AND 1=2-- " -b cookies.txt https://targetsite.com/actions/subtitle_edit.php

Differences in response or behavior between these requests may indicate the presence of the SQL injection vulnerability.

  • Monitor web server logs for unusual or suspicious POST requests to /actions/subtitle_edit.php with unexpected input in the 'number' parameter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45418. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart