CVE-2026-32321 ClipBucket v5 has time-based Blind SQL Injection in ajax.php that leads to Data Exfiltration

ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute...

CVE-2026-26997 ClipBucket v5 has Stored XSS via Collection name

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 59 fixes the issue...

CVE-2026-26005 ClipBucket v5 enables internal network scans via an SSRF vulnerability

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SS...

CVE-2026-25728 ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 40, a Time-of-Check to Time-of-Use TOCTOU race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location before...

CVE-2026-25728 ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 40, a Time-of-Check to Time-of-Use TOCTOU race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location before...

CVE-2026-21875

ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The objid...

CVE-2025-64338

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - 156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is...

CVE-2025-65113

ClipBucket v5 contains an authorization bypass in the AJAX flagging system that allows any unauthenticated user to flag content (users, videos, photos, collections). Affected versions are prior to 5.5.2; this issue can enable mass flagging and moderation abuse. The vulnerability has been patched ...

CVE-2025-65113 ClipBucket v5 Unauthenticated Object Flagging Vulnerability

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 - 164, an authorization bypass vulnerability in the AJAX flagging system allows any unauthenticated user to flag any content users, videos, photos, collections on the platform. This can lead to mass flagging attacks,...

CVE-2025-65113 ClipBucket v5 Unauthenticated Object Flagging Vulnerability

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 - 164, an authorization bypass vulnerability in the AJAX flagging system allows any unauthenticated user to flag any content users, videos, photos, collections on the platform. This can lead to mass flagging attacks,...

CVE-2025-62709 ClipBucket v5 is vulnerable to password reset link manipulation

ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration baseurl is not set. Because Host is a client-controlled header, a...

CVE-2025-62709

ClipBucket v5.5.2 is vulnerable to password reset link manipulation due to a code change in network.class.php that builds the server URL from the HTTP Host header when base_url is not configured. Because Host is user-controlled, an attacker can supply an arbitrary Host value, causing forget.php p...

CVE-2025-64336 ClipBucket v5's Manage Photo Feature is Vulnerable to Stored XSS Attack via Photo Title

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-146 and below, the Manage Photos feature is vulnerable to stored Cross-site Scripting XSS. An authenticated regular user can upload a photo with a malicious Photo Title containing HTML/JavaScript code. While the payload doe...

ClipBucket V5 安全漏洞

ClipBucket V5 is a video hosting platform for MacWarrior individual developers. A security vulnerability exists in ClipBucket V5. An attacker exploiting this vulnerability could perform operations with elevated privileges...

ClipBucket V5 安全漏洞

ClipBucket V5 is a video hosting platform for MacWarrior individual developers. A security vulnerability exists in ClipBucket V5 5.5.2-146 and prior versions, which stems from the Manage Photos feature mishandling the Photo Title parameter, which could lead to a stored cross-site scripting attack...

CVE-2025-62423

ClipBucket V5 provides open source video hosting with PHP. In version5.5.2 - 140 and earlier, a Blind SQL injection vulnerability exists in the Admin Area’s “/adminarea/loginasuser.php” file. Exploiting this vulnerability requires access privileges to the Admin Area...

CVE-2025-62430 ClipBucket v5 stored XSS via video/photo fields

ClipBucket v5 is an open source video sharing platform. ClipBucket v5 through build 5.5.2 145 allows stored cross-site scripting XSS in multiple video and photo metadata fields. For videos the Tags field and the Genre, Actors, Producer, Executive Producer, and Director fields in Movieinfos accept...

CVE-2025-62423 ClipBucket V5 Blind SQL injection in the Admin Panel

ClipBucket V5 provides open source video hosting with PHP. In version5.5.2 - 140 and earlier, a Blind SQL injection vulnerability exists in the Admin Area’s “/adminarea/loginasuser.php” file. Exploiting this vulnerability requires access privileges to the Admin Area...