Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly into shell commands without escaping then executed, so any shell metacharacter in the URL is interpreted. This results in arbitrary command execution. This issue has been patched in version 5.5.3 - #140.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hvfx-hxmr-28c7
Scores
CVSS v3
9.8
EPSS
0.0060
EPSS Percentile
44.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
MacWarrior/clipbucket-v5
< 5.5.3 - #140
Published
Jun 11, 2026
Tracked Since
Jun 12, 2026