Vulnerability Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add item (/actions/add_to_collection.php) due to missing authorization checks and delete item (/manage_collections.php?mode=manage_items...) due to a broken ownership check in removeItemFromCollection(). As a result, attackers can insert and remove items from collections they do not own. Version 5.5.3 #59 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oxygenz | Clipbucket | >= 5.3, < 5.5.3-59 |
Related Weaknesses (CWE)
References
- https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-6wf8-rw5f-cExploitVendor Advisory
FAQ
What is CVE-2026-28354?
CVE-2026-28354 is a vulnerability with a CVSS score of 6.5 (MEDIUM). ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify ano...
How severe is CVE-2026-28354?
CVE-2026-28354 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28354?
Check the references section above for vendor advisories and patch information. Affected products include: Oxygenz Clipbucket.