Yadoy666

**Name of the Vulnerable Software and Affected Versions** ClipBucket version 2.6 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various parameters in different PHP files, including the `cat` parameter to files such as channels.php, collections.php, groups.php, or videos.php, the `query` parameter to search result.php, or the `type` parameter to view collection.php or view item.php. For example, attackers can exploit the `cat` parameter in channels.php or the `query` parameter in search result.php. **Recommendations** For ClipBucket version 2.6, consider disabling the vulnerable parameters, such as `cat`, `query`, and `type`, in the respective PHP files until a patch is available. Restrict access to the affected PHP files, including channels.php, collections.php, groups.php, videos.php, search result.php, view collection.php, and view item.php, to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.