External risk intelligence

ClipBucket Blind SQL Injection Vulnerability in actions/progress_video.php

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-45060

ClipBucket, an open-source video sharing platform, has a blind SQL injection vulnerability in its `actions/progress_video.php` endpoint. This allows unauthenticated users to execute SQL queries, potentially leading to the exfiltration of sensitive data.

5Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-45060

ClipBucket is a video sharing platform designed to be a public-facing web application. By definition, a video sharing platform must be accessible from the internet to function as intended, and this vulnerability exists in an endpoint that is reachable by unauthenticated users, making the attack surface public by design.

PCI scan relevance

PCI Relevance for CVE-2026-45060

Yes

CVE-2026-45060 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

A blind SQL injection vulnerability in ClipBucket v5 allows unauthenticated users to exfiltrate sensitive data, which would cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in ClipBucket, an open-source video-sharing platform, that could allow unauthorized access to sensitive data through SQL injection. The issue affects an unauthenticated endpoint, meaning any internet user could potentially exploit it. This could have significant implications if the platform contains proprietary or personally identifiable information.

  • Unauthenticated users can access sensitive data.
  • Platform's public nature increases exposure risk.
  • Confirm relevance and potential data exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated user can exploit a flaw in the `actions/progress_video.php` endpoint of ClipBucket v5. This vulnerability allows attackers to submit malicious SQL queries through the `ids` parameter, potentially leading to the exfiltration of sensitive data.

  • No authentication required.
  • Unsanitized `ids` parameter in endpoint.
  • Sensitive data exfiltration risk.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated user could exploit a vulnerability in the actions/progress_video.php endpoint of ClipBucket v5 to execute SQL queries. This could allow for the exfiltration of sensitive data stored within the application's database when the platform is accessible online.

  • Application database.
  • Via an unauthenticated network request.
  • Sensitive data exfiltration.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in ClipBucket v5 affects the actions/progress_video.php endpoint, allowing unauthenticated users to perform blind SQL injection. Real-world ownership likely falls to the platform or application team managing the ClipBucket instance, with coordination from the network and security teams to assess external reachability. The first practical step involves identifying all deployed ClipBucket instances, confirming their exposure and criticality, and then prioritizing remediation based on risk.

  • Platform/Application team ownership.
  • Verify external reachability and criticality.
  • Plan risk-based remediation.

Frequently asked questions

What is ClipBucket?

ClipBucket is an open-source platform built for hosting and sharing video content online. It provides the necessary infrastructure for users to upload, manage, and distribute media files, often serving as a custom video-sharing site similar to public streaming services.

What is the nature of the CVE-2026-45060 vulnerability?

This vulnerability is a Blind SQL Injection, classified as CWE-89. It happens when an application improperly filters data provided by a user before including it in a database query. In this case, it allows an attacker to interact with the underlying database by sending specific, hidden commands, potentially causing the system to disclose sensitive information stored within.

How is the CVE-2026-45060 vulnerability triggered?

The flaw is triggered by sending a malicious request to the 'actions/progress_video.php' file on the server. Specifically, an attacker injects commands into the 'ids' parameter of that URL. The vulnerability requires no login credentials to trigger, but it does not affect other parts of the platform that do not process this specific input parameter.

Who should be concerned about this vulnerability?

Anyone running an instance of ClipBucket v5 should be concerned. According to Halo Surface Signal, this software is designed to be public-facing to function, meaning the affected endpoint is likely reachable by anyone on the internet. Because the platform must be accessible to serve videos, your instance is inherently exposed to this network-based threat.

How do I secure my ClipBucket installation?

Your first step is to locate all active ClipBucket installations in your environment. Once identified, confirm which instances are reachable from the internet. Finally, update your software to version 5.5.3 - #129 or higher, which contains the fix for this issue. Prioritize this update for any instance that holds or connects to sensitive database information.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified