CVE-2026-25728
Published: 10 February 2026
Summary
CVE-2026-25728 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ClipBucket v5, an open source video sharing platform, contains a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability (CVE-2026-25728, CWE-367) in its avatar and background image upload functionality prior to version 5.5.3 - #40. The issue arises because the application uses move_uploaded_file() to relocate uploaded files to a web-accessible path before calling ValidateImage() for validation. If validation fails, the file is deleted via @unlink(), but this sequence creates a brief window of exposure.
A low-privileged remote user (PR:L) can exploit this vulnerability over the network (AV:N) by uploading a malicious file containing arbitrary PHP code disguised as an image. Due to the high attack complexity (AC:H) required to win the race condition, the attacker must access the web-accessible path during the narrow window before deletion, enabling execution of the PHP code. Successful exploitation grants high confidentiality, integrity, and availability impacts (CVSS 7.5: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability is addressed in ClipBucket v5.5.3 - #40, as detailed in the GitHub security advisory (GHSA-xq7c-m5r2-9wqj) and the fixing commit (09536e6e2ca6d69a2ee83190b588c0b8116dd16d). Security practitioners should upgrade to the patched version to mitigate the race condition.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7051
Vulnerability details
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location…
more
before validating them, creating a window where an attacker can execute arbitrary PHP code before the file is deleted. The uploaded file was moved to a web-accessible path via move_uploaded_file(), then validated via ValidateImage(). If validation failed, the file was deleted via @unlink(). This vulnerability is fixed in 5.5.3 - #40.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
TOCTOU race condition in public web app file upload enables remote upload+execution of malicious PHP (web shell) before validation/deletion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires information input validation at upload points to ensure files are verified as valid images before moving to web-accessible locations, directly eliminating the TOCTOU race condition.
Mandates timely flaw remediation, including patching ClipBucket to version 5.5.3-#40, which fixes the race condition in upload handling.
Implements malicious code protection mechanisms to scan uploaded files for PHP shells disguised as images, mitigating exploitation during the exposure window.