anonhaven
Ad

CVE-2026-25728

CRITICAL CVSS 4.0: 9.3 EPSS 0.05%
Updated Feb 11, 2026
PHP
Parameter Value
CVSS 9.3 (CRITICAL)
Fixed In 5.5.3
Type CWE-367 (Time-of-check Time-of-use TOCTOU (Гонка проверки и использования))
Vendor PHP
Public PoC No

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in ClipBucket's avatar and background image upload functionality. The application moves uploaded files to a web-accessible location before validating them, creating a window where an attacker can execute arbitrary PHP code before the file is deleted.

The uploaded file was moved to a web-accessible path via move_uploaded_file(), then validated via ValidateImage(). If validation failed, the file was deleted via @unlink(). This vulnerability is fixed in 5.5.3 - #40.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Attack Requirements
None
Нет дополнительных условий
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
High
Полная утечка данных
Integrity
High
Полная модификация данных
Availability
High
Полный отказ в обслуживании

CVSS Vector v4.0

Weakness Type (CWE)

CWE-367 Time-of-check Time-of-use TOCTOU (Гонка проверки и использования)

References 2

https://github.com/MacWarrior/clipbucket-v5/commit/09536e6e2ca6d69a2ee83190b588…
security-advisories@github.com
https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-xq7c-m5r2-…
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-28429

PHP

7.5

CVE-2026-28502

PHP

9.3

CVE-2026-28501

PHP

9.8

CVE-2026-3616

PHP

5.3

CVE-2026-3610

PHP

5.3