CVE-2026-45418

Received Received - Intake

SQL Injection in ClipBucket Video Sharing Platform

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /actions/subtitle_edit.php request used to change their title includes a number parameter which is vulnerable to SQL Injection. A boolean-based blind SQL injection can be used to exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #132.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-11

Last Modified

2026-06-11

Generated

2026-06-12

AI Q&A

2026-06-12

EPSS Evaluated

N/A

NVD

CVE-2026-45418

Affected Vendors & Products

Vendor	Product	Version / Range
clipbucket	clipbucket	to 5.5.3 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability exists in ClipBucket v5, an open source video sharing platform. Before version 5.5.3 - #132, any authenticated user who can upload videos could add multiple subtitles from different files and change their titles. The POST request to /actions/subtitle_edit.php, which is used to change subtitle titles, includes a number parameter that is vulnerable to SQL Injection. Specifically, a boolean-based blind SQL injection can be exploited to extract sensitive data from the database.

Impact Analysis

The vulnerability allows an authenticated user with video upload permissions to perform a boolean-based blind SQL injection attack. This can lead to unauthorized access to sensitive data stored in the database. Additionally, the CVSS score of 8.8 indicates a high severity impact, including potential compromise of confidentiality, integrity, and availability of the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ClipBucket to version 5.5.3 - #132 or later, where the SQL Injection issue in the subtitle_edit.php endpoint has been patched.

Hi! I’m here to help you understand CVE-2026-45418. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-45418

SQL Injection in ClipBucket Video Sharing Platform

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart