CVE-2026-26005

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SSRF can be triggered, causing GET requests to be sent to internal servers. An attacker can exploit this to scan the internal network. Even a regular (non-privileged) user can carry out the attack.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/MacWarrior/clipbucket-v5/commit/a9e0f2322fb37501dfd4f44079fc7826a132503a	Patch
https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-69xj-2pq3-5r4v	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-12 21:16

Updated : 2026-02-18 14:59

NVD link : CVE-2026-26005

Mitre link : CVE-2026-26005

CVE.ORG link : CVE-2026-26005

JSON object : View

Products Affected

oxygenz

clipbucket

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-26005", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}]}, "published": "2026-02-12T21:16:03.173", "references": [{"url": "https://github.com/MacWarrior/clipbucket-v5/commit/a9e0f2322fb37501dfd4f44079fc7826a132503a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-69xj-2pq3-5r4v", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SSRF can be triggered, causing GET requests to be sent to internal servers. An attacker can exploit this to scan the internal network. Even a regular (non-privileged) user can carry out the attack."}, {"lang": "es", "value": "ClipBucket v5 es una plataforma de c\u00f3digo abierto para compartir videos. Anterior a la versi\u00f3n 5.5.3 - #45, en Clip Bucket V5, la funci\u00f3n 'Remote Play' permite crear entradas de video que referencian URLs de videos externos sin subir los archivos de video al servidor. Sin embargo, al especificar un host de red interno en la URL del video, se puede activar un SSRF, lo que provoca que se env\u00eden solicitudes GET a servidores internos. Un atacante puede explotar esto para escanear la red interna. Incluso un usuario regular (no privilegiado) puede llevar a cabo el ataque."}], "lastModified": "2026-02-18T14:59:54.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "192CAFEB-B38F-4FE1-8C93-33AEF06A2502", "versionEndExcluding": "5.5.3-45", "versionStartIncluding": "5.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}