CVE-2026-25728

HIGH

ClipBucket 5.3-5.5.3-40 - Remote Code Execution via Avatar and Background Image Upload Race Condition

Title source: llm

Description

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location before validating them, creating a window where an attacker can execute arbitrary PHP code before the file is deleted. The uploaded file was moved to a web-accessible path via move_uploaded_file(), then validated via ValidateImage(). If validation failed, the file was deleted via @unlink(). This vulnerability is fixed in 5.5.3 - #40.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-xq7c-m5r2-9wqj

Patch x_refsource_misc

https://github.com/MacWarrior/clipbucket-v5/commit/09536e6e2ca6d69a2ee83190b588c0b8116dd16d

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0028

EPSS Percentile 19.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-367

Status published

Products (1)

oxygenz/clipbucket 5.3 - 5.5.3-40

Published Feb 10, 2026

Tracked Since Feb 18, 2026