CVE-2026-42846 ClipBucket: Remote Play URL Command Injection

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - 140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly...

CVE-2026-42846

CVE-2026-42846 affects ClipBucket v5 prior to 5.5.3 (pre-release #140) where the Remote Play feature concatenates a user-provided URL into shell commands without escaping. This allows an authenticated user to trigger arbitrary command execution via shell metacharacters in the URL. The issue has b...