CVE-2026-25728

HighPublic PoC

Published: 10 February 2026

Published

10 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25728 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AU-8 Time Stamps

addresses: CWE-367

Timestamps meeting UTC or offset standards help identify TOCTOU issues through precise chronological reconstruction of check/use operations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

TOCTOU race condition in public web app file upload enables remote upload+execution of malicious PHP (web shell) before validation/deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location…

before validating them, creating a window where an attacker can execute arbitrary PHP code before the file is deleted. The uploaded file was moved to a web-accessible path via move_uploaded_file(), then validated via ValidateImage(). If validation failed, the file was deleted via @unlink(). This vulnerability is fixed in 5.5.3 - #40.

Deeper analysisAI

ClipBucket v5, an open source video sharing platform, contains a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability (CVE-2026-25728, CWE-367) in its avatar and background image upload functionality prior to version 5.5.3 - #40. The issue arises because the application uses move_uploaded_file() to relocate uploaded files to a web-accessible path before calling ValidateImage() for validation. If validation fails, the file is deleted via @unlink(), but this sequence creates a brief window of exposure.

A low-privileged remote user (PR:L) can exploit this vulnerability over the network (AV:N) by uploading a malicious file containing arbitrary PHP code disguised as an image. Due to the high attack complexity (AC:H) required to win the race condition, the attacker must access the web-accessible path during the narrow window before deletion, enabling execution of the PHP code. Successful exploitation grants high confidentiality, integrity, and availability impacts (CVSS 7.5: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability is addressed in ClipBucket v5.5.3 - #40, as detailed in the GitHub security advisory (GHSA-xq7c-m5r2-9wqj) and the fixing commit (09536e6e2ca6d69a2ee83190b588c0b8116dd16d). Security practitioners should upgrade to the patched version to mitigate the race condition.