CVE-2013-10040

CRITICAL

ClipBucket <2.6 - RCE

Title source: llm

Description

ClipBucket version 2.6 and earlier contains a critical vulnerability in the ofc_upload_image.php script located at /admin_area/charts/ofc-library/. This endpoint allows unauthenticated users to upload arbitrary files, including executable PHP scripts. Once uploaded, the attacker can access the file via a predictable path and trigger remote code execution.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Gabby · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/clipbucket_upload_exec.rb

View Code ZIP pw:eip

References (5)

[Product] https://clipbucket.com/

[Product] https://github.com/arslancb/clipbucket

[Exploit, Third Party Advisory] https://packetstorm.news/files/id/123480

[Exploit, Third Party Advisory] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/clipbucket_upload_exec.rb

[Third Party Advisory] https://www.vulncheck.com/advisories/clipbucket-arbitrary-file-upload-rce

Scores

CVSS v3 9.8

EPSS 0.6428

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

clip-bucket/clipbucket < 2.6

ClipBucket LLC/ClipBucket < 2.6

Published Jul 31, 2025

Tracked Since Feb 18, 2026