CVE-2013-10040

ClipBucket <= 2.6 ofc_upload_image.php Arbitrary File Upload RCE

CVSS 10 CRITICALEPSS 2.5%CWE-434

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 10EPSS 2.5%KEV nãoPoC públicaNuclei —Metasploit simPatch —

Lifecycle

04 Oct 2013Metasploit module available

31 Jul 2025Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

ClipBucket version 2.6 and earlier contains a critical vulnerability in the ofc_upload_image.php script located at /admin_area/charts/ofc-library/. This endpoint allows unauthenticated users to upload arbitrary files, including executable PHP scripts. Once uploaded, the attacker can access the file via a predictable path and trigger remote code execution.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products

ClipBucket LLC · ClipBucket

public PoCs found — 2

cve_referencepacketstorm.news/files/id/123480unverified cve_referenceraw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/clipbucket_upload_exec.rbunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://clipbucket.com/https://github.com/arslancb/clipbucket https://packetstorm.news/files/id/123480 https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/clipbucket_upload_exec.rb https://www.vulncheck.com/advisories/clipbucket-arbitrary-file-upload-rce