Time-of-Check to Time-of-Use Race Condition in ClipBucket Video Sharing Platform
CVE-2026-25728

9.3CRITICAL

Key Information:

Vendor: Macwarrior
Status: Clipbucket-v5
Vendor: CVE Published:; 10 February 2026

What is CVE-2026-25728?

ClipBucket v5, an open-source video sharing platform, has a vulnerability in its avatar and background image upload functionality due to a Time-of-Check to Time-of-Use (TOCTOU) race condition. This flaw allows an attacker to upload a file, which is moved to a web-accessible location before the proper validation occurs. Consequently, the attacker has a window of opportunity to execute arbitrary PHP code during this unvalidated moment. If the validation fails, the file can be deleted. This security issue was addressed in version 5.5.3.

Affected Version(s)

clipbucket-v5 < 5.5.3 - #40

References

https://github.com/MacWarrior/clipbucket-v5/security/advi...

x_refsource_CONFIRM

https://github.com/MacWarrior/clipbucket-v5/commit/09536e...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Feb 5, 2026

CVE-2026-25728 Data

JSON

Macwarrior

What is CVE-2026-25728?

Affected Version(s)

References

CVSS V4

Timeline