HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-42846Published Modified CNA GitHub_M

CVE-2026-42846: ClipBucket: Remote Play URL Command Injection

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly into shell commands without escaping then executed, so any shell metacharacter in the URL is interpreted. This results in arbitrary command execution. This issue has been patched in version 5.5.3 - #140.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Command injection in ClipBucket v5's Remote Play URL import feature allows any network-accessible attacker to execute arbitrary shell commands on the server. The flaw stems from user-supplied URLs being concatenated directly into shell commands without escaping or sanitization, so any shell metacharacter in a crafted URL is interpreted by the shell. Successful exploitation gives an attacker full command execution on the host, enabling complete confidentiality, integrity, and availability compromise. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix version is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-42846 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images derived from ClipBucket v5 base layers. Any image carrying an affected version of MacWarrior/clipbucket-v5 is flagged automatically during both registry scans and CI pipeline checks.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 9.8 (CRITICAL), and per-environment compliance policy weighting can escalate or re-route the finding based on each customer organization's defined risk thresholds. Triage routing delivers the finding to the inbox or ticketing integration configured for the affected workload owner within each customer org.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by the ClipBucket maintainers. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR opened against affected workloads will be initiated without manual intervention once an upstream patch exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable Remote Play endpoint is exposed over the network, so an attacker must be able to reach the ClipBucket service via HTTP/HTTPS.

  • AuthenticationNot required

    The CVSS vector specifies PR:N, meaning no credentials or prior account access are required to trigger the injection.

  • Victim interactionNot required

    The CVSS vector specifies UI:N; exploitation is fully server-side and requires no action from any user or administrator.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and condition-free; no race conditions, special memory layout, or environmental factors need to align.

Blast Radius

  • Attacker executes arbitrary shell commands on the server hosting ClipBucket, gaining the same OS-level privileges as the web application process.
  • All data accessible to that process, including stored video metadata, user records, and session tokens, is readable by the attacker.
  • The attacker can write, overwrite, or delete files on the server, modifying application code, configuration, or stored media.
  • The attacker can crash or resource-exhaust the service, taking the video platform offline for all users.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory across every customer environment running an affected ClipBucket v5 image. Because no upstream patch has been published yet, HarborGuard re-evaluates the advisory on each ingest cycle. In the interim, compensating controls worth considering include network-policy isolation that restricts inbound access to the Remote Play endpoint to trusted internal ranges only, egress filtering on the container to prevent outbound callback connections that a typical command-injection payload would initiate, and feature-flag or WAF rules that block or sanitize URL parameters containing shell metacharacters. The moment MacWarrior publishes a fix release, HarborGuard will make a patched-image rebuild available; for customers with auto-remediation enabled, that triggers an automatic rebuild, regression run, and PR opened against affected workloads.

See how HarborGuard automates this
Affected packages
  • MacWarrior / clipbucket-v5
    < 5.5.3 - #140
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References