Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism
AnalysisAI
CSRF vulnerability in phpBB 3.3.15 allows remote attackers to execute arbitrary code by exploiting the login function and authentication mechanism. Despite a CVSS score of 8.8, the EPSS probability is very low (0.04%, 12th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV). A proof-of-concept is publicly available via GitHub Gist. The CVE description contains conflicting data: it states 'local attacker' while CVSS vector shows AV:N (network attack vector) and requires user interaction (UI:R), suggesting social engineering rather than local access.
Technical ContextAI
phpBB is an open-source bulletin board system written in PHP. This vulnerability exploits CWE-352 (Cross-Site Request Forgery), where the application fails to validate that authenticated requests originated from the legitimate user rather than a malicious third party. CSRF attacks typically work by tricking an authenticated user into executing unwanted actions through forged requests embedded in links, images, or scripts on attacker-controlled sites. The vulnerability specifically targets phpBB 3.3.15's login function and authentication mechanism, suggesting insufficient anti-CSRF token validation or session management weaknesses during the authentication flow. The claimed arbitrary code execution impact is unusual for CSRF vulnerabilities, which typically enable unauthorized actions within the application's normal functionality rather than full RCE. This discrepancy requires verification against the public POC to determine if the vulnerability chain includes secondary exploitation techniques beyond standard CSRF.
RemediationAI
Upgrade phpBB to the latest stable version available from the official phpBB download page at phpbb.com, as no specific patched version is identified in the available references. Before upgrading, review the GitHub Gist POC at https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30 to understand the attack mechanics and verify whether your installation's configuration exposes the vulnerable code path. As an interim mitigation until patching, implement strict Content Security Policy headers to limit cross-origin requests, configure web application firewalls to detect and block CSRF patterns targeting the login endpoint, and educate administrators to avoid clicking untrusted links while authenticated to phpBB admin panels. Note that CSRF mitigations like SameSite cookie attributes may interfere with legitimate cross-domain integrations, requiring testing before production deployment. Monitor phpBB security announcements at phpbb.com/security for official vendor guidance, as no formal advisory is referenced in the CVE data and the vendor may issue additional context or hotfixes.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209383