CVE-2026-42846
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, the Remote Play feature allowed adding videos by importing an external URL, leading to arbitrary command execution due to improper URL handling.
Risk Assessment
Exploitation of this vulnerability could lead to remote execution of arbitrary commands on the server, posing a serious security threat to the organization.
Recommendation
It is recommended to upgrade to version 5.5.3 - #140 or later to mitigate this vulnerability.
Original NVD description (English source)
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly into shell commands without escaping then executed, so any shell metacharacter in the URL is interpreted. This results in arbitrary command execution. This issue has been patched in version 5.5.3 - #140.

