CVE-2026-49482 PUBLISHED

ClipBucket: SQL Wildcard Injection in Subtitle Edit Endpoint Allows Mass Subtitle Overwrite

Assigner: GitHub_M
Reserved: 30.05.2026 Published: 11.06.2026 Updated: 12.06.2026

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #141, ClipBucket v5 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user can send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request. This issue has been patched in version 5.5.3 - #141.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	MacWarrior
Product	clipbucket-v5
Versions	Version < 5.5.3 - #141 is affected

References

https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-wv43-277p-737c

Problem Types

CWE-155: Improper Neutralization of Wildcards or Matching Symbols CWE
CWE-943: Improper Neutralization of Special Elements in Data Query Logic CWE