anonhaven
Ad

CVE-2026-21875

CRITICAL CVSS 3.1: 9.8 EPSS 0.05%
Updated Jan 27, 2026
Oxygenz
Parameter Value
CVSS 9.8 (CRITICAL)
Affected Versions 5.3 — 5.5.2-191
Fixed In 5.5.2-191
Type CWE-89 (SQL Injection)
Vendor Oxygenz
Public PoC No

ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint.

The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection.

This issue does not have a fix at the time of publication.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-89 SQL Injection

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Oxygenz Clipbucket
cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*
 5.3 5.5.2-191

References 1

https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-crpv-fmc4-…
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-32321

Oxygenz

8.8

CVE-2025-67418

Oxygenz

9.8

CVE-2025-64339

Oxygenz

5.4

CVE-2025-64338

Oxygenz

9.0

CVE-2025-64336

Oxygenz

5.4