Cyber Resilience

CVE-2026-25728

CriticalPublic PoC

Published: 10 February 2026

Published
10 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 19.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25728 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ClipBucket v5, an open source video sharing platform, contains a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability (CVE-2026-25728, CWE-367) in its avatar and background image upload functionality prior to version 5.5.3 - #40. The issue arises because the application uses move_uploaded_file() to relocate uploaded files to a web-accessible path before calling ValidateImage() for validation. If validation fails, the file is deleted via @unlink(), but this sequence creates a brief window of exposure.

A low-privileged remote user (PR:L) can exploit this vulnerability over the network (AV:N) by uploading a malicious file containing arbitrary PHP code disguised as an image. Due to the high attack complexity (AC:H) required to win the race condition, the attacker must access the web-accessible path during the narrow window before deletion, enabling execution of the PHP code. Successful exploitation grants high confidentiality, integrity, and availability impacts (CVSS 7.5: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability is addressed in ClipBucket v5.5.3 - #40, as detailed in the GitHub security advisory (GHSA-xq7c-m5r2-9wqj) and the fixing commit (09536e6e2ca6d69a2ee83190b588c0b8116dd16d). Security practitioners should upgrade to the patched version to mitigate the race condition.

EU & UK References

Vulnerability details

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location…

more

before validating them, creating a window where an attacker can execute arbitrary PHP code before the file is deleted. The uploaded file was moved to a web-accessible path via move_uploaded_file(), then validated via ValidateImage(). If validation failed, the file was deleted via @unlink(). This vulnerability is fixed in 5.5.3 - #40.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

TOCTOU race condition in public web app file upload enables remote upload+execution of malicious PHP (web shell) before validation/deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21624Same product: Oxygenz Clipbucket
CVE-2026-21875Same product: Oxygenz Clipbucket
CVE-2025-21622Same product: Oxygenz Clipbucket
CVE-2025-67418Same product: Oxygenz Clipbucket
CVE-2025-21623Same product: Oxygenz Clipbucket
CVE-2026-32321Same product: Oxygenz Clipbucket
CVE-2024-41787Shared CWE-367
CVE-2026-41002Shared CWE-367
CVE-2026-25641Shared CWE-367
CVE-2026-25052Shared CWE-367

Affected Assets

oxygenz
clipbucket
5.3 — 5.5.3-40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires information input validation at upload points to ensure files are verified as valid images before moving to web-accessible locations, directly eliminating the TOCTOU race condition.

prevent

Mandates timely flaw remediation, including patching ClipBucket to version 5.5.3-#40, which fixes the race condition in upload handling.

preventdetect

Implements malicious code protection mechanisms to scan uploaded files for PHP shells disguised as images, mitigating exploitation during the exposure window.

References