CVE-2026-42846
Description
Authenticated command injection in ClipBucket v5 Remote Play feature allows shell metacharacters in URL to execute arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated command injection in ClipBucket v5 Remote Play feature allows shell metacharacters in URL to execute arbitrary commands.
Vulnerability
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, the Remote Play feature allowed any authenticated user to add a video by importing an external URL as the source. The URL is passed directly into shell commands without escaping, leading to arbitrary command execution via shell metacharacters [1]. Affected versions: all prior to the patched commit.
Exploitation
An attacker needs only an authenticated account on the ClipBucket instance. The attacker submits a URL containing shell metacharacters (e.g., backticks, $(), ;) as the remote play file URL. The application performs several checks (valid URL, non-private IP, file extension must be .mp4 or .m3u8, HTTP 200 response) but does not sanitize the URL before passing it to shell commands [1]. Once the checks pass, the URL is used in an FFMpeg command that is executed without escaping, achieving command injection.
Impact
Successful exploitation allows the attacker to execute arbitrary shell commands with the privileges of the web server. This can lead to complete compromise of the server, including data theft, modification, or denial of service (CIA impact: total loss).
Mitigation
The vulnerability has been patched in ClipBucket version 5.5.3 - #140, released on 2026-06-11 [1]. Users should upgrade immediately. If upgrading is not possible, consider disabling the Remote Play feature or restricting its use to highly trusted users as a temporary workaround.
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <5.5.3-140
- Range: <5.5.3 #140
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied URL is concatenated directly into shell commands without escaping, allowing shell metacharacters to be interpreted as commands."
Attack vector
An authenticated user with the default `allow_video_upload` permission submits a video via the Remote Play feature by providing a crafted external URL. The URL passes validation checks (valid URL, non-private IP, `.mp4` or `.m3u8` extension, HTTP 200 response) but shell metacharacters such as `$(...)` are not filtered. When the URL is concatenated into `ffprobe` or `mediainfo` commands and executed via `shell_exec()`, the embedded shell metacharacters are interpreted, allowing arbitrary command execution on the server [ref_id=1].
Affected code
The vulnerability is in the `get_file_info()` method of the FFMpeg class, which passes the user-supplied `$file_path` (the `remote_play_url`) directly into shell commands via `System::shell_output()`. For example, `$cmd = config('ffprobe_path') . ' -i "' . $file_path . '" ...'` and `$CMD = config('media_info') . ' \'--Inform=Video;\' ' . $file_path` are constructed by string concatenation without escaping. `shell_output()` calls PHP's `shell_exec()` [ref_id=1].
What the fix does
The advisory states the issue was patched in version 5.5.3 - #140. The fix should escape or sanitize the URL before passing it to shell commands, preventing shell metacharacters from being interpreted. Without the patch diff, the specific remediation is not visible, but the advisory's guidance is to ensure the URL is not concatenated directly into shell commands without escaping [ref_id=1].
Preconditions
- authAttacker must have an authenticated account with the allow_video_upload permission (enabled by default)
- inputAttacker must supply a URL that passes validation (valid URL, non-private IP, .mp4/.m3u8 extension, HTTP 200)
- networkNo special network position required; the feature is accessible over the web
Reproduction
1. Sign up as a new unprivileged user (e.g., `test:test`). 2. Navigate to the upload videos section. 3. Submit a crafted remote play URL containing shell metacharacters, e.g., `https://httpbin.org/anything/x$(id>/srv/http/clipbucket/upload/files/plop.txt).mp4`. 4. An error message may appear but the injected command executes. 5. Access the written file at `http://localhost:5555/files/plop.txt` to confirm command execution [ref_id=1].
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.