CVE-2026-21875
Published: 08 January 2026
Summary
CVE-2026-21875 is a critical-severity SQL Injection (CWE-89) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates blind SQL injection by enforcing validation of the unsanitized obj_id parameter before its use in database queries.
Addresses the vulnerability by requiring identification, testing, and application of fixes or patches for the SQL injection flaw in ClipBucket.
Enables detection of the blind SQL injection vulnerability through regular vulnerability scanning of the affected web application endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of unauthenticated blind SQL injection in public-facing web app endpoint (/actions/ajax.php).
NVD Description
ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST…
more
request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication.
Deeper analysisAI
CVE-2026-21875 is a Blind SQL Injection vulnerability (CWE-89) in ClipBucket v5, an open source video sharing platform. It affects versions 5.5.2-#187 and below. The issue arises in the add comment section within a channel, where a POST request to the /actions/ajax.php endpoint passes the obj_id parameter directly to the user_exists function in upload/includes/classes/user.class.php. This parameter is then used unsanitized in the count function within upload/includes/classes/db.class.php, allowing injection via payloads like 1' or 1=1-- -.
An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By submitting a crafted obj_id in the POST request, they can trigger blind SQL injection, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as rated 9.8 by CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
The GitHub security advisory GHSA-crpv-fmc4-j392 states that no fix is available at the time of publication on 2026-01-08. Administrators should restrict access to affected endpoints, validate inputs, or upgrade upon patch release.
Details
- CWE(s)