CVE-2026-42847

Name of the Vulnerable Software and Affected Versions ClipBucket versions prior to 5.5.3 - #122

Description An SQL Injection (SQLi) issue exists in the authenticated admin endpoint "admin area/action logs.php". The endpoint processes the type parameter, which is passed to the fetch action logs() function and concatenated directly into a SQL WHERE condition on action type without parameterization. This allows for UNION-based SQL injection, enabling direct data exfiltration from the database.

Recommendations Update to version 5.5.3 - #122. As a temporary workaround, restrict access to the "admin area/action logs.php" endpoint or avoid using the type parameter until the update is applied.