CVE-2026-25728

Name of the Vulnerable Software and Affected Versions ClipBucket versions prior to 5.5.3

Description ClipBucket is an open source video sharing platform. A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the avatar and background image upload functionality. The application moves uploaded files to a web-accessible location before validating them, allowing an attacker to potentially execute arbitrary PHP code before the file is deleted. The vulnerability occurs because the uploaded file is moved to a web-accessible path using the move uploaded file() function, then validated using ValidateImage(). If validation fails, the file is deleted using @unlink().

Recommendations Update to version 5.5.3 or later.