How is CVE-2026-45418 exploited?

Network reachability (required): The vulnerable subtitle_edit.php endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the ClipBucket instance. Authentication (required): Any low-privilege account with video-upload capability is sufficient; no admin or elevated role is needed. Victim interaction (not-required): The attacker sends crafted POST requests directly to the endpoint; no action from another user is needed. Attack complexity (info): Exploitation is reliable and condition-free: the injected payload targets a straightforward numeric parameter with no race conditions or environmental dependencies.

What is the impact of CVE-2026-45418?

Reads sensitive database contents including user credentials, session tokens, and stored personal data via boolean-based blind SQL injection queries. Enumerates database schema to identify and extract records from any table the application database user can access. With sufficient database privileges, the attacker may be able to read additional application secrets or configuration values persisted in the database.

Back to search

HIGHCVE-2026-45418Published 2026-06-11Modified 2026-06-12CNA GitHub_M

CVE-2026-45418: ClipBucket: Blind SQL Injection in subtitle_edit.php

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /actions/subtitle_edit.php request used to change their title includes a number parameter which is vulnerable to SQL Injection. A boolean-based blind SQL injection can be used to exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #132.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Blind SQL injection in ClipBucket v5 affects the subtitle editing endpoint (subtitle_edit.php). The vulnerability is reachable over the network by any authenticated user with video-upload privileges, requiring no elevated permissions. Successful exploitation allows an attacker to exfiltrate sensitive data from the underlying database using boolean-based blind SQL injection techniques. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built ClipBucket images. Any image carrying a vulnerable version of clipbucket-v5 (prior to 5.5.3 #132) will surface in scan results automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 HIGH (v3.1) and weights it against each environment's compliance policy to determine priority and routing. Findings are routed to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a confirmed fix ships. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable subtitle_edit.php endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the ClipBucket instance.
AuthenticationRequired
Any low-privilege account with video-upload capability is sufficient; no admin or elevated role is needed.
Victim interactionNot required
The attacker sends crafted POST requests directly to the endpoint; no action from another user is needed.
Attack complexityDetail
Exploitation is reliable and condition-free: the injected payload targets a straightforward numeric parameter with no race conditions or environmental dependencies.

Blast Radius

Reads sensitive database contents including user credentials, session tokens, and stored personal data via boolean-based blind SQL injection queries.
Enumerates database schema to identify and extract records from any table the application database user can access.
With sufficient database privileges, the attacker may be able to read additional application secrets or configuration values persisted in the database.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer images containing clipbucket-v5. Because no upstream patch has been published yet, HarborGuard re-evaluates the advisory on every ingest cycle. The moment a confirmed fix version is released, a patched-image rebuild becomes available, and for customers who have auto-remediation enabled, HarborGuard will automatically trigger a rebuild, run regression tests, and open a PR against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict access to the ClipBucket instance to trusted IP ranges, egress filtering to limit what the database tier can reach, and temporarily disabling subtitle editing functionality via a feature flag or application-layer firewall rule if the platform supports it. Where compliance policy permits, auto-remediation ensures the patched rebuild reaches affected workloads with no manual steps required.

See how HarborGuard automates this

Affected packages

MacWarrior / clipbucket-v5
< 5.5.3 - #132

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-q233-m544-6jqr

Metrics

Get notified