CRITICAL🇵🇱 Wersja polska

CVE-2026-21875

CVSS 9.8v3.1pub. 2026-01-08upd. 2026-01-27

ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication.

🤖 AI Analysis
How it works

When adding a comment to a channel, the application sends a POST request to the /actions/ajax.php endpoint. The obj_id parameter from this request is passed directly to the user_exists function in the upload/includes/classes/user.class.php file as the $id variable, and then to the count function in the upload/includes/classes/db.class.php file. The $id parameter is concatenated directly into the SQL query without any input validation or sanitization. An attacker can provide a payload like '1' or 1=1-- -', which triggers blind SQL injection, allowing data to be read from the database by analyzing application behavior.

Impact

An unauthenticated remote attacker can gain unauthorized access to database contents, including user data, passwords and other sensitive information, and potentially also modify or delete application data.

Mitigation & patch

At the time of publication, the vulnerability had no available patch. You should monitor the project repository at https://github.com/MacWarrior/clipbucket-v5 and apply the patch immediately upon release. Until a patch is released, it is recommended to restrict access to the /actions/ajax.php endpoint (e.g., through a WAF application firewall) and consider temporarily disabling the channel commenting feature.

Who is affected

ClipBucket v5 in versions 5.5.2-#187 and lower (open source video sharing platform).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oxygenz Clipbucket

    APP
    Oxygenz
    5.3 – 5.5.2-191 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-25728CRITICAL9.3PL ✓ten sam produkt

TOCTOU Race Condition w ClipBucket umożliwia wykonanie kodu PHP

CVE-2025-67418CRITICAL9.8PL ✓ten sam produkt

ClipBucket 5.5.2 — hardcoded domyślne dane logowania w panelu admina

CVE-2025-21624CRITICAL9.8PL ✓ten sam produkt

ClipBucket V5 — nieograniczony upload plików PHP przez funkcję playlist

CVE-2024-54135CRITICAL9.8PL ✓ten sam produkt

PHP Deserialization w ClipBucket V5 — zdalne wykonanie kodu

CVE-2024-54136CRITICAL9.8PL ✓ten sam produkt

PHP Deserialization w ClipBucket V5 umożliwia zdalne wykonanie kodu