CVE-2026-42846 | THREATINT

Description

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly into shell commands without escaping then executed, so any shell metacharacter in the URL is interpreted. This results in arbitrary command execution. This issue has been patched in version 5.5.3 - #140.

PUBLISHED Reserved 2026-04-30 | Published 2026-06-11 | Updated 2026-06-12 | Assigner GitHub_M

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 5.5.3 - #140

affected

References

github.com/...ket-v5/security/advisories/GHSA-hvfx-hxmr-28c7 exploit

github.com/...ket-v5/security/advisories/GHSA-hvfx-hxmr-28c7

cve.org (CVE-2026-42846)

nvd.nist.gov (CVE-2026-42846)

Download JSON