CVE-2026-45418
Description
Authenticated users can exploit a boolean-based blind SQL injection in ClipBucket v5's subtitle_edit.php to extract sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can exploit a boolean-based blind SQL injection in ClipBucket v5's subtitle_edit.php to extract sensitive data.
Vulnerability
ClipBucket v5 prior to version 5.5.3 - #132 contains a SQL injection vulnerability in the POST /actions/subtitle_edit.php endpoint. The number parameter, which represents the subtitle ID and automatically increments, is not properly sanitized before being used in a SQL query [1]. Any authenticated user who can upload videos can add subtitles and then edit their titles, triggering the vulnerable parameter. The affected versions are all releases before the fix commit #132.
Exploitation
An attacker must have an account on the ClipBucket instance and be able to upload a video [1]. After uploading a video and adding at least one subtitle (e.g., by uploading a SubRip .srt file), the attacker sends a POST request to /actions/subtitle_edit.php with parameters title, videoid, and number. The number parameter is directly concatenated into SQL queries without parameterization, allowing a boolean-based blind SQL injection [1]. The attacker can observe differences in response behavior (e.g., success or error messages) to infer data character by character.
Impact
Successful exploitation allows an attacker to exfiltrate sensitive data from the database via boolean-based blind SQL injection [1]. This can include user credentials, session tokens, or other private information stored in the ClipBucket database. The attacker gains read access to the database but does not achieve code execution or direct write access through this vulnerability.
Mitigation
The vulnerability has been patched in ClipBucket version 5.5.3 - #132 [1]. Users should update to this version immediately. There is no known workaround for unpatched versions. The CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<5.5.3+ 1 more
- (no CPE)range: <5.5.3
- (no CPE)range: <5.5.3-#132
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `number` POST parameter allows SQL injection via concatenation into a `LIKE` clause."
Attack vector
An authenticated user who can upload videos sends a POST request to `/actions/subtitle_edit.php` with `videoid`, `title`, and a malicious `number` parameter. The `number` value is injected into an `UPDATE` query's `WHERE` clause via a `LIKE` operator without sanitization [ref_id=1]. A boolean-based blind SQL injection is achieved by observing whether the subtitle title changes (true condition) or stays the same (false condition). The attacker can chain this with an IDOR to target any user's video by guessing the `videoid` [ref_id=1].
Affected code
The vulnerability resides in `upload/actions/subtitle_edit.php` and `upload/includes/controller/core/subtitle_edit_core.php`, which pass the unsanitized `$_POST['number']` parameter to `CBvideo::getInstance()->update_subtitle($video, $number, $title)`. The `update_subtitle` method in `upload/includes/classes/video.class.php` (line ~2007) concatenates `$number` directly into a SQL `LIKE` clause without escaping, while `$videoid` is properly cast to `(int)` [ref_id=1].
What the fix does
The advisory states the issue was patched in ClipBucket v5.5.3 - #132 [ref_id=1]. While the advisory does not show the exact patch diff, the remediation would require sanitizing or parameterizing the `$number` variable in the `update_subtitle` method, similar to how `$videoid` is already cast to `(int)`. The `number` parameter should be validated as an integer or passed as a prepared statement parameter instead of being concatenated into the SQL string.
Preconditions
- authAttacker must have an authenticated session with permission to upload videos
- inputThe target videoid must have at least one subtitle row attached
- networkNo special network access required beyond reaching the web application
Reproduction
1. As an authenticated user, upload a video and note its `videoid`. 2. Upload a `.srt` subtitle file for that video via the "Subtitle files" section. 3. Send a POST to `/actions/subtitle_edit.php` with `title=Oracle_True_hello&videoid=6&number=01'+AND+(1%3d1)--+-`. If the title changes to "Oracle_True_hello", the condition was true. 4. Send a similar request with `number=01'+AND+(2%3d1)--+-`; the title should remain unchanged (false condition). This boolean oracle allows blind data exfiltration using the provided Python script [ref_id=1].
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.