CVE-2026-45060
Description
Unauthenticated blind SQL injection in ClipBucket v5's actions/progress_video.php allows data exfiltration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated blind SQL injection in ClipBucket v5's actions/progress_video.php allows data exfiltration.
Vulnerability
The actions/progress_video.php endpoint in ClipBucket v5 prior to version 5.5.3 - #129 is vulnerable to blind SQL injection. The endpoint accepts a ids parameter via POST, which is expected to be an array of video IDs. However, the code does not validate that the array elements are integers. When the array is joined via implode(', ', $param_videoids) and passed to a mysql_clean() function (which only escapes certain characters but does not prevent SQL injection), an attacker can inject arbitrary SQL statements. The vulnerability exists in the getAll() method called on the Video class, which constructs a SQL IN clause using unsanitized input.
Exploitation
An unauthenticated attacker can send a POST request to /actions/progress_video.php with a crafted array in the ids parameter. For example, sending ids[]=0) OR (1=1)-- - injects a SQL condition that bypasses the intended filtering. Since the database errors are not directly returned (blind SQL injection), the attacker must use boolean-based or time-based techniques to infer data character by character. No authentication or special network position is required beyond standard HTTP access.
Impact
Successful exploitation allows an attacker to exfiltrate sensitive data from the database, including user credentials, session tokens, or other private information. The vulnerability is rated critical (CVSS 9.8) due to the lack of authentication and the potential for full database compromise. Confidentiality is primarily affected, with possible further impact depending on the database contents.
Mitigation
ClipBucket version 5.5.3 - #129 fixes this issue by properly sanitizing the ids parameter. Users should upgrade to this version immediately. The fix was released as a security advisory [1]. No workarounds are provided for unpatched installations. The platform is not listed on the CISA KEV.
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: ,<5.5.3-129
- Range: <5.5.3-#129
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient input sanitization in the `ids` array parameter allows SQL injection via the `videoid IN (...)` clause."
Attack vector
An unauthenticated attacker sends a POST request to `/actions/progress_video.php` with the `ids` parameter as an array containing a malicious SQL payload [ref_id=1]. The payload is injected into a SQL `WHERE` clause via the `videoid IN (...)` condition. Because `mysql_clean()` does not block characters like parentheses, `--`, `=`, or `UNION`, the attacker can break out of the `IN` list and append arbitrary SQL [ref_id=1]. The response body length differs between true and false conditions, enabling blind SQL injection to exfiltrate data character by character [ref_id=1].
Affected code
The vulnerable endpoint is `/actions/progress_video.php`. The flaw lies in how the `ids` POST parameter is processed: when `ids` is an array, the values are joined with `implode(', ', $param_videoids)` and passed through `mysql_clean()` (which only escapes NUL, \n, \r, \, ', ", and CTRL+Z), then inserted directly into a SQL `WHERE` clause without additional sanitization [ref_id=1]. Characters such as parentheses, `--`, `=`, and `UNION` are not filtered, allowing an attacker to break out of the `IN (...)` list [ref_id=1].
What the fix does
The advisory states the issue is patched in version 5.5.3 - #129 [ref_id=1]. No patch diff is provided in the bundle, but the fix would need to ensure that array values passed to the `videoid IN (...)` clause are individually validated as integers before being used in the SQL query, similar to how a single `videoid` is cast to `(int)` [ref_id=1]. Additionally, the query construction should use parameterized queries or prepared statements rather than string interpolation to prevent SQL injection entirely.
Preconditions
- authNo authentication required; any unauthenticated user can send a POST request
- inputThe ids parameter must be sent as an array (e.g., ids[]=payload)
- configFor more elaborate UNION-based commands, at least one video must exist in the database (uploaded by any user)
Reproduction
The bundle includes a full Python PoC script [ref_id=1]. Run it as: `python3 poc_progress_video_sqli.py <URL> "<SQL query>"`. For example, `python3 poc_progress_video_sqli.py http://localhost "SELECT VERSION()"` or `python3 poc_progress_video_sqli.py http://localhost "SELECT password FROM cb_users WHERE userid=1"` [ref_id=1]. The script uses a blind oracle based on response body length: a true condition returns a 31-byte empty JSON (database error), while a false condition returns a 0-byte body [ref_id=1].
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.