Skip to main content
Mallory
Back to vulnerabilities
Critical

Command Injection in ClipBucket v5 Remote Play

IdentifiersCVE-2026-42846CWE-78· Improper Neutralization of Special…

CVE-2026-42846 is a command injection vulnerability in ClipBucket v5 affecting versions prior to 5.5.3 - #140. The issue resides in the Remote Play feature, which allows a user to add a video by importing an external URL as the source. ClipBucket passes the supplied URL into shell commands and concatenates it directly without proper escaping or neutralization. As a result, shell metacharacters embedded in the URL are interpreted by the operating system, allowing arbitrary command execution in the context of the ClipBucket application.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary OS command execution on the underlying server hosting ClipBucket. This can lead to full compromise of the application environment, including unauthorized access to data, modification or destruction of content, deployment of additional malware or persistence mechanisms, and disruption of service availability. The provided CVSS context indicates high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, disable or restrict access to the Remote Play feature, especially for untrusted users. Limit which accounts can import external URLs, apply strict server-side validation and sanitization of URL input, and prevent the web application from invoking shell commands with user-controlled data. Additional hardening such as least-privilege execution for the ClipBucket service account and containment of the application environment can reduce blast radius, but these measures do not fully remediate the vulnerability.

Remediation

Patch, then assume compromise.

Upgrade ClipBucket to version 5.5.3 - #140 or later, which contains the vendor patch for this issue. Because the flaw is caused by direct concatenation of untrusted URL input into shell commands, remediation should ensure that user-controlled input is never passed to shell execution unsafely and that safer APIs or strict argument handling are used instead of shell interpolation.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-42846
NVD
nvd.nist.gov/vuln/detail/CVE-2026-42846
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
github.com
github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hvfx-hxmr-28c7