Description
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location before validating them, creating a window where an attacker can execute arbitrary PHP code before the file is deleted. The uploaded file was moved to a web-accessible path via move_uploaded_file(), then validated via ValidateImage(). If validation failed, the file was deleted via @unlink(). This vulnerability is fixed in 5.5.3 - #40.
Published: 2026-02-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A time‑of‑check to time‑of‑use race condition in ClipBucket v5 allows an attacker to upload an avatar or background image that is moved to a web‑accessible directory before the file is validated. If the validation fails, the file is deleted, but the window created before deletion can be exploited to execute arbitrary PHP code, resulting in remote code execution on the server.

Affected Systems

The vulnerability affects any ClipBucket v5 installation running a version earlier than 5.5.3. The fix is contained in commit 5.5.3 – #40, which enforces validation before the file becomes web‑accessible. The affected product is the open‑source ClipBucket v5 as identified by the CNA MacWarrior.

Risk and Exploitability

With a CVSS score of 9.3 the weakness represents a high severity REMOTE CODE EXECUTION. The EPSS score is below 1 %, indicating a low current exploitation probability, although the threat remains significant because the attack can be carried out from a standard upload form without elevated privileges. The vulnerability is not listed in the CISA KEV catalog, but the lack of a public exploit does not change the potential impact. Based on the description it is inferred that an attacker can upload a maliciously crafted image file through the avatar or background upload interface to trigger the race condition and gain code execution.

Generated by OpenCVE AI on April 17, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ClipBucket to version 5.5.3 or later, which implements proper validation before the image is made web‑accessible.
  • Configure the web server to disable PHP execution in the upload directory (e.g., using .htaccess with `php_flag engine off` or equivalent server‑like configuration).
  • Continuously monitor the upload logs for suspicious or large file uploads and employ a WAF rule that blocks executable content in the avatar/background upload paths.

Generated by OpenCVE AI on April 17, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Oxygenz
Oxygenz clipbucket
CPEs cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*
Vendors & Products Oxygenz
Oxygenz clipbucket
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Tue, 10 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location before validating them, creating a window where an attacker can execute arbitrary PHP code before the file is deleted. The uploaded file was moved to a web-accessible path via move_uploaded_file(), then validated via ValidateImage(). If validation failed, the file was deleted via @unlink(). This vulnerability is fixed in 5.5.3 - #40.
Title ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition
Weaknesses CWE-367
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Macwarrior Clipbucket-v5
Oxygenz Clipbucket
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T15:30:33.904Z

Reserved: 2026-02-05T16:48:00.426Z

Link: CVE-2026-25728

cve-icon Vulnrichment

Updated: 2026-02-11T15:30:04.295Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:38.053

Modified: 2026-02-18T15:02:02.293

Link: CVE-2026-25728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses