Login Sign Up

CVE-2026-25728

7.5 HIGH
Remote Code Execution

📋 TL;DR

ClipBucket v5 versions before 5.5.3 - #40 have a TOCTOU race condition in avatar/background image uploads. Attackers can upload malicious PHP files that execute arbitrary code before validation deletes them. This affects all ClipBucket v5 installations with upload functionality enabled.

💻 Affected Systems

Products:
  • ClipBucket v5
Versions: All versions prior to 5.5.3 - #40
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires upload functionality to be enabled (default).

📦 What is this software?

Clipbucket by Oxygenz

View all CVEs affecting Clipbucket →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Webshell installation allowing persistent access, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

File upload attempts logged but blocked, with no successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated user access and precise timing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.3 - #40

Vendor Advisory: https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-xq7c-m5r2-9wqj

Restart Required: No

Instructions:

1. Backup your installation. 2. Update to version 5.5.3 - #40 via git pull or manual patch. 3. Verify the fix by checking the commit hash includes 09536e6e2ca6d69a2ee83190b588c0b8116dd16d.

🔧 Temporary Workarounds

Disable file uploads

all

Temporarily disable avatar and background image upload functionality.

Web server file extension blocking

linux

Configure web server to block execution of .php files in upload directories.

For Apache: Add 'php_flag engine off' to .htaccess in upload directories
For Nginx: Add 'location ~ \.php$ { deny all; }' to upload directory config

🧯 If You Can't Patch

  • Implement strict file upload validation before moving files to web-accessible locations.
  • Use file system permissions to prevent execution in upload directories.

🔍 How to Verify

Check if Vulnerable:

Check if your ClipBucket version is below 5.5.3 - #40 and review upload handling code for TOCTOU pattern.

Check Version:

Check version in ClipBucket admin panel or review CHANGELOG.md file.

Verify Fix Applied:

Verify installation includes commit 09536e6e2ca6d69a2ee83190b588c0b8116dd16d and test upload functionality.

📡 Detection & Monitoring

Log Indicators:

  • Multiple rapid upload attempts with .php extensions
  • Failed validation logs followed by file deletion
  • Unexpected file execution in upload directories

Network Indicators:

  • HTTP POST requests to upload endpoints with suspicious timing patterns
  • Outbound connections from web server to unknown IPs

SIEM Query:

source="web_logs" AND (uri_path="/upload" OR uri_path="/avatar_upload") AND (file_extension=".php" OR response_code=500)

📊 Metadata

CVE ID: CVE-2026-25728
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-367
EPSS Score: 0.04% exploit probability (11.2th percentile)
Published: February 10, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25728, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)