Skip to main content

Phpbb CVE-2018-19274

HIGH
Deserialization of Untrusted Data (CWE-502)
2018-11-17 cve@mitre.org
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 17, 2018 - 13:29 nvd
HIGH 7.2

DescriptionNVD

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.

AnalysisAI

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions. Affected products include: Phpbb, Debian Debian Linux. Version information: before 3.2.4.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.

More in Phpbb

View all
CVE-2026-48611 CRITICAL POC
9.8 Jun 12

Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting defa

CVE-2019-13376 MEDIUM POC
6.5 Sep 27

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote A

CVE-2019-16993 HIGH
8.8 Sep 30

In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in

CVE-2026-29199 HIGH
8.1 May 04

Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_var

CVE-2026-48612 HIGH
8.0 Jun 12

Account takeover in phpBB via OAuth state-verification flaw enables remote attackers to link a victim's forum account to

CVE-2019-9826 HIGH
7.5 May 02

The fulltext search component in phpBB before 3.2.6 allows Denial of Service. Rated high severity (CVSS 7.5), this vulne

CVE-2026-47366 HIGH
7.2 Jun 12

Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions

CVE-2015-1432 MEDIUM
6.8 Feb 10

The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the fo

CVE-2020-5502 MEDIUM
6.5 Jan 15

phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships. Rated medium severity (CVSS 6.5), this vuln

CVE-2015-3880 MEDIUM
6.1 Sep 19

Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of G

CVE-2023-5917 MEDIUM
6.1 Nov 02

A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10.php of the component Smiley P

CVE-2026-48613 MEDIUM
5.9 Jun 12

SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profi

Share

CVE-2018-19274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy