CVE-2026-21875 – ClipBucket v5 versions 5.5.2-#187 and below con... (How to Fix)

Q: What is the severity of CVE-2026-21875?

CVE-2026-21875 has a CVSS score of 9.8 (CRITICAL). ClipBucket v5 versions 5.5.2-#187 and below contain a blind SQL injection vulnerability in the comment functionality. Attackers can exploit this by injecting malicious SQL payloads through the obj_id parameter when adding comments to channels, potentially allowing unauthorized database access. All users running vulnerable versions are affected.

📋 TL;DR

ClipBucket v5 versions 5.5.2-#187 and below contain a blind SQL injection vulnerability in the comment functionality. Attackers can exploit this by injecting malicious SQL payloads through the obj_id parameter when adding comments to channels, potentially allowing unauthorized database access. All users running vulnerable versions are affected.

💻 Affected Systems

Products:

ClipBucket v5

Versions: Versions 5.5.2-#187 and below

Operating Systems: All operating systems running ClipBucket

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the vulnerable code are affected regardless of configuration.

📦 What is this software?

Clipbucket by Oxygenz

View all CVEs affecting Clipbucket →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including exfiltration of sensitive user data, authentication bypass, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Data exfiltration of user information, comments, and potentially hashed passwords, leading to credential theft and account takeover.

🟢

If Mitigated

Limited impact with proper input validation and WAF rules blocking SQL injection patterns.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via POST requests to /actions/ajax.php which is typically internet-facing for video sharing platforms.

🏢 Internal Only: MEDIUM - While primarily internet-facing, internal users could also exploit this if they have access to the application.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user authentication to access the comment functionality, but the SQL injection technique is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-crpv-fmc4-j392

Restart Required: No

Instructions:

No official patch exists. Consider workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and parameterized queries for the obj_id parameter in the user_exists function.

Modify upload/includes/classes/user.class.php to validate obj_id as integer
Modify upload/includes/classes/db.class.php to use prepared statements

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns targeting the /actions/ajax.php endpoint.

Add WAF rule: Detect SQL injection patterns in POST parameters to /actions/ajax.php

🧯 If You Can't Patch

Disable comment functionality in channels completely
Implement network segmentation to restrict database access from application servers

🔍 How to Verify

Check if Vulnerable:

Check if your ClipBucket version is 5.5.2-#187 or earlier by examining the version file or admin panel.

Check Version:

Check upload/version.txt or admin panel version information

Verify Fix Applied:

Test the comment functionality with SQL injection payloads to ensure they are properly rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed comment attempts with special characters
Unusually long obj_id parameter values

Network Indicators:

POST requests to /actions/ajax.php containing SQL keywords in parameters
Unusual database query patterns from application server

SIEM Query:

source="web_logs" AND uri="/actions/ajax.php" AND (param="obj_id" AND value MATCHES "[';]|OR|UNION|SELECT")

📊 Metadata

CVE ID: CVE-2026-21875

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.04% exploit probability (11.6th percentile)

Published: January 8, 2026

Last Updated: January 27, 2026

🔗 References

https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-crpv-fmc4-j392 Exploit,Vendor Advisory
https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-crpv-fmc4-j392 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21875, you might also want to check these: