CVE-2026-47238
Description
ClipBucket v5 prior to 5.5.3-#133 allows any authenticated user to edit another user's video subtitles due to missing ownership checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ClipBucket v5 prior to 5.5.3-#133 allows any authenticated user to edit another user's video subtitles due to missing ownership checks.
Vulnerability
In ClipBucket v5 before version 5.5.3 - #133, the video subtitle editor endpoints (subtitle_edit.php, subtitle_popin_upload.php, subtitle_edit_core.php, subtitle_delete.php, and subtitle_save.php) lack authorization checks to verify that the requesting user owns the video. The application only checks for the edit_video permission, which is granted by default to the "Registered User" level. This allows any authenticated user to upload, rename, or delete subtitles on any video, including those owned by administrators. [1]
Exploitation
An attacker needs only a valid user account (self-registration is typically allowed). The attacker identifies a target video's videoid (e.g., via browsing the site) and sends crafted POST requests to the subtitle endpoints using their session cookie. For example, a curl request to /actions/subtitle_save.php with a chosen title and subtitle file content can add subtitles to any video. The attacker can also rename or delete existing subtitles by sending requests to /actions/subtitle_edit.php with title, videoid, and the subtitle number. No additional privileges or user interaction is required. [1]
Impact
An authenticated attacker can arbitrarily upload, rename, or delete subtitles on any video in the platform. This can lead to defacement of video content (e.g., inserting misleading or offensive captions), or denial of service by deleting subtitles. The attacker does not gain access to the video file itself or other sensitive data. The impact is limited to subtitle manipulation, but it affects all users including administrators. [1]
Mitigation
The issue is patched in ClipBucket version 5.5.3 - #133, released on an unknown date but referenced in the advisory [1]. Users should upgrade to this patched version or later. If upgrading is not immediately possible, administrators could temporarily remove the edit_video permission from the default Registered User level, though this may affect legitimate video editing functionality. No workaround is documented in the advisory beyond applying the patch.
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 5.5.3
- Range: <5.5.3-#133
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check — the application verifies the user has the generic `edit_video` permission but never checks whether the video belongs to that user."
Attack vector
An attacker with a self-registered account sends a POST request to `/actions/subtitle_save.php` (or the edit/delete endpoints) with a target `videoid` that belongs to another user. The application only checks whether the attacker has the `edit_video` permission — which the default "Registered User" level grants — and does not verify ownership of the video [ref_id=1]. The attacker can upload a SubRip (.srt) subtitle file, change its title, or delete existing subtitles on any video on the site, including admin-owned videos [ref_id=1].
Affected code
The vulnerability exists in three action files: `subtitle_popin_upload.php`, `subtitle_edit_core.php`, and `subtitle_delete.php`. Each file calls `User::getInstance()->hasPermissionAjax('edit_video')` to check if the user has the generic "edit video" permission, but never verifies that the video being modified belongs to that user [ref_id=1].
What the fix does
The advisory states the issue has been patched in version 5.5.3 - #133 [ref_id=1]. No patch diff is included in the bundle, but the fix would require adding an ownership check in `subtitle_popin_upload.php`, `subtitle_edit_core.php`, and `subtitle_delete.php` so that the authenticated user can only modify subtitles on videos they own, rather than relying solely on the generic `edit_video` permission check [ref_id=1].
Preconditions
- authAttacker must have a registered user account on the ClipBucket instance
- inputAttacker must know or guess the target video's videoid
- inputTarget video must exist on the platform
Reproduction
As the admin, upload a video (e.g., videoid=5). Self-register as a new user (e.g., `poc_user`). Send a POST request to `/actions/subtitle_save.php` with the target videoid and a subtitle file:
``` curl -X POST 'http://localhost/actions/subtitle_save.php' \ -H 'Cookie: PHPSESSID=d49f7d9502805a0db7d314c573a786f0' \ -F 'title=test' \ -F $'subtitles=WEBVTT \n\n00:00:00.000 --> 00:00:09.000\ntest\n;type=application/x-subrip;filename=poc_sub.srt' \ -F 'videoid=5' \ -F 'is_for_upload=false' ```
The video now contains a new subtitle "test" despite the attacker not owning the video [ref_id=1].
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.