PatchSiren cyber security CVE debrief
CVE-2026-42846 MacWarrior CVE debrief
CVE-2026-42846 is a critical vulnerability in ClipBucket v5, a open source video sharing platform. The vulnerability exists in the Remote Play feature, which allows authenticated users to add videos by importing external URLs. Due to improper escaping of user-input URLs, an attacker can inject shell metacharacters, leading to arbitrary command execution on the server. This vulnerability has a CVSS score of 9.8 and is considered CRITICAL. The issue was patched in version 5.5.3 - #140.
- Vendor
- MacWarrior
- Product
- clipbucket-v5
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Administrators and users of ClipBucket v5, especially those with authenticated access, should be aware of this vulnerability and take immediate action to update to version 5.5.3 - #140 or later.
Technical summary
The vulnerability is caused by the concatenation of user-input URLs directly into shell commands without proper escaping. This allows an attacker to inject shell metacharacters and execute arbitrary commands on the server.
Defensive priority
High
Recommended defensive actions
- Update ClipBucket to version 5.5.3 - #140 or later
- Restrict access to the Remote Play feature to trusted users only
- Monitor server logs for suspicious activity
Evidence notes
The vulnerability was reported via [ref-4](https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hvfx-hxmr-28c7).
Official resources
-
CVE-2026-42846 CVE record
CVE.org
-
CVE-2026-42846 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-42846 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-42846) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-42846).