Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49482

CVE-2026-49482: ClipBucket v5 SQLi Vulnerability

CVE-2026-49482 is a SQL injection flaw in ClipBucket v5 allowing authenticated users to exploit SQL wildcard characters in the subtitle editing endpoint. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-49482 Overview

CVE-2026-49482 affects ClipBucket v5, an open source video sharing platform. The vulnerability is an improper neutralization of SQL wildcard characters [CWE-155] in the subtitle editing endpoint. An authenticated user can submit the % character as the number parameter to match every subtitle row belonging to a video they own. The application processes the wildcard in a single HTTP request and overwrites all subtitle titles for that video at once. Maintainers patched the issue in version 5.5.3 - #141.

Critical Impact

An authenticated attacker can overwrite all subtitle titles of any video they own through a single HTTP request abusing SQL wildcard expansion.

Affected Products

  • ClipBucket v5 versions prior to 5.5.3 - #141
  • Self-hosted ClipBucket v5 instances exposing the subtitle editing endpoint
  • Deployments allowing authenticated user-generated content management

Discovery Timeline

  • 2026-06-12 - CVE-2026-49482 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-49482

Vulnerability Analysis

The defect lives in the subtitle editing endpoint of ClipBucket v5. The endpoint accepts a number parameter that identifies which subtitle entry to update. The application passes this parameter into a SQL statement without escaping SQL wildcard characters. When a user supplies %, the SQL LIKE operator interprets it as a match-all pattern. Every subtitle row associated with the targeted video matches the predicate.

The update then applies the new title value to every matching row. The result is mass overwriting of subtitle titles within a single request. Exploitation requires only a valid authenticated session and ownership of the targeted video.

The weakness maps to CWE-155, Improper Neutralization of Wildcards or Matching Symbols in a Data Query Logic. The flaw does not enable arbitrary SQL execution. It enables abuse of intended query semantics through unsanitized wildcards.

Root Cause

The root cause is missing neutralization of the % and likely _ wildcard characters before the number parameter reaches a LIKE-based SQL clause. The endpoint trusts client-supplied input as a precise row identifier rather than a pattern. Without escaping, the wildcard expands the selector beyond the intended single record.

Attack Vector

The attacker authenticates to a vulnerable ClipBucket v5 instance and identifies a video they own that has multiple subtitle entries. They send a request to the subtitle editing endpoint with number=% and a chosen replacement title. The backend matches every subtitle row for the video and overwrites each title with the supplied value. Network reachability and a low-privilege account are the only prerequisites.

No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-wv43-277p-737c for maintainer-supplied details.

Detection Methods for CVE-2026-49482

Indicators of Compromise

  • HTTP requests to the ClipBucket v5 subtitle editing endpoint containing number=% or URL-encoded number=%25 in the body or query string.
  • Sudden bulk changes to subtitle titles where multiple rows share an identical newly written value.
  • Audit log entries showing a single authenticated session updating many subtitle rows within milliseconds.

Detection Strategies

  • Inspect web server access logs for subtitle editing requests where the number parameter contains SQL wildcard characters such as % or _.
  • Query the database for subtitle tables in which many rows under the same video_id share identical titles and update timestamps.
  • Correlate authenticated session identifiers with high-volume subtitle modification events to surface abusive accounts.

Monitoring Recommendations

  • Enable verbose application logging for subtitle management actions and forward logs to a centralized analytics platform.
  • Configure a web application firewall rule to alert on wildcard characters within parameters expected to be numeric identifiers.
  • Track schema-level change rates on subtitle tables and alert when update counts per session exceed a defined baseline.

How to Mitigate CVE-2026-49482

Immediate Actions Required

  • Upgrade ClipBucket v5 to version 5.5.3 - #141 or later, which contains the official fix.
  • Audit subtitle data for unauthorized overwrites and restore from backup where integrity has been lost.
  • Review authentication logs to identify accounts that may have triggered wildcard-based subtitle updates.

Patch Information

The maintainers addressed the vulnerability in ClipBucket v5 release 5.5.3 - #141. Details are published in the GitHub Security Advisory GHSA-wv43-277p-737c. Operators should apply the upstream release rather than backporting individual commits to ensure all related changes are present.

Workarounds

  • Restrict access to the subtitle editing endpoint behind an authenticated reverse proxy that validates the number parameter as a strict integer.
  • Deploy a web application firewall rule that rejects requests where parameters expected to be numeric contain % or _.
  • Temporarily limit subtitle editing privileges to trusted administrative users until the patched release is deployed.
bash
# Example WAF rule (ModSecurity) to block wildcard characters in the number parameter
SecRule ARGS:number "@rx [%_]" \
  "id:1004982,phase:2,deny,status:400,\
  msg:'CVE-2026-49482 ClipBucket subtitle wildcard blocked',\
  tag:'application-multi',tag:'language-multi',tag:'platform-multi'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.