CVE-2026-49482
Description
ClipBucket v5 ≤5.5.3-r139 allows authenticated users to overwrite all subtitle titles of owned videos via SQL wildcard injection in subtitle edit endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ClipBucket v5 ≤5.5.3-r139 allows authenticated users to overwrite all subtitle titles of owned videos via SQL wildcard injection in subtitle edit endpoint.
Vulnerability
ClipBucket v5 prior to version 5.5.3 - #141 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. The vulnerable code is in upload/includes/classes/video.class.php, function update_subtitle(), where the $number parameter from $_POST['number'] is used in a LIKE query after being escaped by mysql_clean() (which uses real_escape_string() but does not escape % and _ wildcards). Sending % as the number value causes the WHERE clause to match every subtitle row for the video, allowing mass overwrite of subtitle titles.
Exploitation
An authenticated user with edit_video permission (default for registered users) can exploit this by sending a POST request to /actions/subtitle_edit.php with number=% and a desired title value. This overwrites all subtitle titles for any video they own in a single HTTP request.
Impact
The attacker can overwrite all subtitle titles of any video they own, causing integrity and availability impacts on subtitle data. No escalation beyond the attacker's own videos is possible.
Mitigation
The issue is patched in ClipBucket version 5.5.3 - #141 [1]. Users should update to this version or later. As a workaround, administrators can add input validation to reject % and _ characters in the number parameter or change the query to use = instead of LIKE.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<5.5.3+ 1 more
- (no CPE)range: <5.5.3
- (no CPE)range: <5.5.3 - #141
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of SQL wildcard characters — the query uses `LIKE` instead of `=` for an exact-match field, and `mysql_clean()` does not escape `%` and `_`."
Attack vector
An authenticated attacker with `edit_video` permission sends a POST request to `/actions/subtitle_edit.php` with `videoid`, `number=%`, and `title=HACKED_ALL` [ref_id=1]. Because the SQL query uses `LIKE` instead of `=` and `mysql_clean()` does not escape the SQL wildcard `%`, the `%` matches every subtitle row for that video, causing all subtitle titles to be overwritten in a single request [ref_id=1].
Affected code
The vulnerable code is in `upload/includes/classes/video.class.php`, function `update_subtitle()`. The `$number` parameter originates from `$_POST['number']` in `upload/includes/core/subtitle_edit_core.php` and is passed unsanitized into a `LIKE` clause in the SQL query [ref_id=1].
What the fix does
The advisory recommends replacing `LIKE` with `=` in the `update_subtitle()` WHERE clause so that the `number` field is matched exactly rather than pattern-matched [ref_id=1]. Additionally, validating that `$number` matches a two-digit zero-padded integer format (`/^\d{2}$/`) before the database query would reject wildcard characters entirely [ref_id=1]. No official patch diff is included in the bundle, but the advisory states the issue is fixed in version 5.5.3 - #141.
Preconditions
- authAuthenticated user account with edit_video permission (default for registered users)
- inputAttacker must own at least one video with subtitles
- networkNo special network access required; standard HTTP POST to the vulnerable endpoint
Reproduction
1. Authenticate: `curl -s -c /tmp/cb.txt -b /tmp/cb.txt "http://TARGET/actions/login.php" -d "username=attacker&password=PASSWORD"` [ref_id=1] 2. Fire wildcard overwrite: `curl -s -b /tmp/cb.txt "http://TARGET/actions/subtitle_edit.php" -d "videoid=<VIDEO_ID>&number=%&title=HACKED"` [ref_id=1] 3. Verify all subtitles for that video now have title "HACKED" [ref_id=1].
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.