High severityNVD Advisory· Published May 14, 2026· Updated May 16, 2026

CVE-2026-42847

Description

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #122, there is a critical SQL Injection (SQLi) vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint admin_area/action_logs.php. The endpoint admin_area/action_logs.php reads $_GET['type'], stores it in $result_array['type'], and forwards it into fetch_action_logs(), where the value is concatenated directly into a SQL WHERE condition on action_type without parameterization. This allows UNION-based SQL injection and direct data exfiltration from the database. This vulnerability is fixed in 5.5.3 - #122.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in ClipBucket v5 admin action_logs.php allows authenticated administrators to exfiltrate database data.

Vulnerability

ClipBucket v5 prior to 5.5.3 - #122 contains a SQL injection vulnerability in the admin endpoint admin_area/action_logs.php. The type parameter from $_GET is stored into $result_array['type'] and passed to fetch_action_logs(), where it is directly concatenated into a SQL WHERE condition without parameterization. This allows an attacker to break out of the intended string context and inject arbitrary SQL [1].

Exploitation

Exploitation requires an authenticated admin session. The endpoint enforces admin access via User::getInstance()->hasPermissionOrRedirect('admin_access', true). An attacker with valid admin credentials can send a crafted HTTP GET request to admin_area/action_logs.php with a malicious type parameter, such as a UNION-based injection payload, to extract data from the database [1].

Impact

Successful exploitation allows an authenticated admin attacker to perform UNION-based SQL injection, leading to exfiltration of arbitrary data from the backend database. This results in high confidentiality impact, as sensitive information can be read [1].

Mitigation

The vulnerability is fixed in version 5.5.3 - #122. Users should update to this version or later. No workaround is available besides applying the patch [1].

References

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in clipbucket

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Clip Bucket/Clipbucketllm-fuzzy
Range: <5.5.3 - #122

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-x33j-5cqg-vrrcnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000