CVE-2026-42847— ClipBucket: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1005 · Data from Local System T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MacWarrior | clipbucket-v5 | < 5.5.3 - #122 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42847
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ClipBucket: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Source: NVD (National Vulnerability Database)
Vulnerability Description
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #122, there is a critical SQL Injection (SQLi) vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint admin_area/action_logs.php. The endpoint admin_area/action_logs.php reads $_GET['type'], stores it in $result_array['type'], and forwards it into fetch_action_logs(), where the value is concatenated directly into a SQL WHERE condition on action_type without parameterization. This allows UNION-based SQL injection and direct data exfiltration from the database. This vulnerability is fixed in 5.5.3 - #122.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| MacWarrior | clipbucket-v5 | < 5.5.3 - #122 | - |
II. Public POCs for CVE-2026-42847
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42847
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: clipbucket-v5
- CVE-2026-32321
ClipBucket v5 has time-based Blind SQL Injection in ajax.php - CVE-2026-28354
ClipBucket v5 has IDOR in Collection Item Management - CVE-2026-26997
ClipBucket v5 has Stored XSS via Collection name - CVE-2026-26005
ClipBucket v5 enables internal network scans via an SSRF vul - CVE-2026-25728
ClipBucket v5 Affected by Remote Code Execution via Avatar/B
Same vendor: MacWarrior
- CVE-2026-32321
ClipBucket v5 has time-based Blind SQL Injection in ajax.php - CVE-2026-28354
ClipBucket v5 has IDOR in Collection Item Management - CVE-2026-26997
ClipBucket v5 has Stored XSS via Collection name - CVE-2026-26005
ClipBucket v5 enables internal network scans via an SSRF vul - CVE-2026-25728
ClipBucket v5 Affected by Remote Code Execution via Avatar/B
Same weakness: CWE-89
- CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-46364
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCap - CVE-2026-46359
phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Un - CVE-2021-47966
PHP Timeclock 1.04 SQL Injection via login.php - CVE-2026-7046
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.12 -
V. Comments for CVE-2026-42847
No comments yet