CVE-2026-49482

Published: Jun 12, 2026Modified: Jun 12, 2026Deferred

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #141, ClipBucket v5 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user can send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request. This issue has been patched in version 5.5.3 - #141.

Related CWEs

CWE-155

Improper Neutralization of Wildcards or Matching Symbols

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

References (2)

https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-wv43-277p-737c

Source: security-advisories@github.com

https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-wv43-277p-737c

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.