{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26997", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T01:41:24.607Z", "datePublished": "2026-02-27T19:15:11.123Z", "dateUpdated": "2026-02-27T20:24:08.947Z"}, "containers": {"cna": {"title": "ClipBucket v5 has Stored XSS via Collection name", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-97r6-4hmx-hcrh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-97r6-4hmx-hcrh"}, {"name": "https://github.com/MacWarrior/clipbucket-v5/commit/2da4c8e41f9e4baf47ff89f8a674fbe9b63ac76d", "tags": ["x_refsource_MISC"], "url": "https://github.com/MacWarrior/clipbucket-v5/commit/2da4c8e41f9e4baf47ff89f8a674fbe9b63ac76d"}], "affected": [{"vendor": "MacWarrior", "product": "clipbucket-v5", "versions": [{"version": "< 5.5.3 #59", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T19:15:11.123Z"}, "descriptions": [{"lang": "en", "value": "ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 fixes the issue."}], "source": {"advisory": "GHSA-97r6-4hmx-hcrh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T20:23:59.792150Z", "id": "CVE-2026-26997", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:24:08.947Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26997", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T20:23:59.792150Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:24:05.312Z"}}], "cna": {"title": "ClipBucket v5 has Stored XSS via Collection name", "source": {"advisory": "GHSA-97r6-4hmx-hcrh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "MacWarrior", "product": "clipbucket-v5", "versions": [{"status": "affected", "version": "< 5.5.3 #59"}]}], "references": [{"url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-97r6-4hmx-hcrh", "name": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-97r6-4hmx-hcrh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MacWarrior/clipbucket-v5/commit/2da4c8e41f9e4baf47ff89f8a674fbe9b63ac76d", "name": "https://github.com/MacWarrior/clipbucket-v5/commit/2da4c8e41f9e4baf47ff89f8a674fbe9b63ac76d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T19:15:11.123Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26997", "state": "PUBLISHED", "dateUpdated": "2026-02-27T20:24:08.947Z", "dateReserved": "2026-02-17T01:41:24.607Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T19:15:11.123Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AC9B64A-469F-4E76-9B21-E45B20FDD200", "versionEndExcluding": "5.5.3-59", "versionStartIncluding": "5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 fixes the issue."}], "id": "CVE-2026-26997", "lastModified": "2026-03-03T20:10:04.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-27T20:21:37.503", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/MacWarrior/clipbucket-v5/commit/2da4c8e41f9e4baf47ff89f8a674fbe9b63ac76d"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-97r6-4hmx-hcrh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.5.3 #59)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "clipbucket-v5", "source": "cna", "vendor": "MacWarrior"}, "product": "clipbucket-v5", "vendor": "macwarrior"}], "analysis": {"en": {"generated_at": "2026-04-16T15:22:01.314632+00:00", "value": {"mitigation_remediation": ["Upgrade ClipBucket to version 5.5.3 #59 or later to apply the vendor fix for the stored XSS issue.", "Ensure that collection names are sanitized or escaped before rendering to prevent injection of executable script.", "Restrict the ability to create or rename collections to trusted administrative roles and audit input validation to mitigate future XSS risks."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via Collection name"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in MacWarrior\u2019s ClipBucket v5, affecting any installation running a version earlier than 5.5.3 #59. The affected product is the open\u2011source video sharing platform delivered under the CPE for oxygenz:clipbucket. Versions prior to the 5.5.3 #59 release are susceptible.", "description_and_impact": "ClipBucket v5 allows a normal authenticated user to store a malicious script in the name of a collection. The payload is executed when an administrator loads or edits the collection, resulting in stored cross\u2011site scripting that runs within the admin\u2019s browser context. This can lead to theft of authentication cookies, session hijacking, or defacement of the admin interface, thereby compromising the confidentiality and integrity of sensitive administrative sessions.", "risk_and_exploitability": "The base CVSS score is 2.0, indicating low severity. The EPSS score is below 1\u202f%, suggesting a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attack execution requires the attacker to be an authenticated regular user to store the payload, and the triggering action demands an admin to view or edit the malicious collection name, meaning the exploit depends on privileged access to the admin interface and user input handling in the collection name field."}}}}, "created": "2026-03-02T12:05:11.759723+00:00", "updated": "2026-04-16T15:30:06.221174+00:00", "vendors": ["macwarrior", "macwarrior$PRODUCT$clipbucket-v5"]}