CVE-2026-47238
Deferred Deferred - Pending Action

Authenticated User Video Subtitle Manipulation in ClipBucket

Vulnerability report for CVE-2026-47238, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-13

Assigner: GitHub, Inc.

Description

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched in version 5.5.3 - #133.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-13
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
clipbucket clipbucket to 5.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ClipBucket version 5 before 5.5.3. It allows a normal authenticated user to edit subtitles of videos that belong to other users due to a lack of proper authorization checks. Specifically, an attacker can upload subtitles, change their names, or delete subtitles of other users' videos.

Impact Analysis

The vulnerability can lead to unauthorized modification or deletion of video subtitles by any authenticated user. This can result in misinformation, loss of important subtitle data, or disruption of the video content experience for users relying on subtitles.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ClipBucket to version 5.5.3 - #133 or later, where the authorization issue allowing normal authenticated users to edit other users' video subtitles has been patched.

Compliance Impact

The vulnerability allows authenticated users to edit, rename, or delete subtitles on videos they do not own due to insufficient authorization checks. This can lead to unauthorized modification of content, impacting data integrity.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized modification of data could potentially violate principles of data integrity and access control required by these regulations.

However, there is no direct information provided about specific impacts on compliance with GDPR, HIPAA, or other common standards.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests that attempt to edit, rename, or delete subtitles on videos not owned by the authenticated user.

Specifically, an attacker exploits the lack of ownership verification by sending POST requests to the subtitle editing endpoints with parameters targeting videos they do not own.

To detect such activity, you can use network monitoring tools or web server logs to identify suspicious POST requests to subtitle-related URLs from authenticated users.

  • Use tools like tcpdump or Wireshark to capture HTTP POST traffic to the ClipBucket subtitle editing endpoints.
  • Example command to capture HTTP POST requests on port 80 or 443: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Analyze web server access logs for POST requests to subtitle editing URLs with parameters indicating subtitle modification.
  • Check for POST requests from authenticated users modifying subtitles on videos they do not own, which indicates exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47238. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart