Skip to main content

Phpbb CVE-2025-70810

| EUVDEUVD-2025-209383 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-09 mitre
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 17, 2026 - 13:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 13:07 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 17:22 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
8.8 (HIGH)
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2025-209383
CVE Published
Apr 09, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism

AnalysisAI

CSRF vulnerability in phpBB 3.3.15 allows remote attackers to execute arbitrary code by exploiting the login function and authentication mechanism. Despite a CVSS score of 8.8, the EPSS probability is very low (0.04%, 12th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV). A proof-of-concept is publicly available via GitHub Gist. The CVE description contains conflicting data: it states 'local attacker' while CVSS vector shows AV:N (network attack vector) and requires user interaction (UI:R), suggesting social engineering rather than local access.

Technical ContextAI

phpBB is an open-source bulletin board system written in PHP. This vulnerability exploits CWE-352 (Cross-Site Request Forgery), where the application fails to validate that authenticated requests originated from the legitimate user rather than a malicious third party. CSRF attacks typically work by tricking an authenticated user into executing unwanted actions through forged requests embedded in links, images, or scripts on attacker-controlled sites. The vulnerability specifically targets phpBB 3.3.15's login function and authentication mechanism, suggesting insufficient anti-CSRF token validation or session management weaknesses during the authentication flow. The claimed arbitrary code execution impact is unusual for CSRF vulnerabilities, which typically enable unauthorized actions within the application's normal functionality rather than full RCE. This discrepancy requires verification against the public POC to determine if the vulnerability chain includes secondary exploitation techniques beyond standard CSRF.

RemediationAI

Upgrade phpBB to the latest stable version available from the official phpBB download page at phpbb.com, as no specific patched version is identified in the available references. Before upgrading, review the GitHub Gist POC at https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30 to understand the attack mechanics and verify whether your installation's configuration exposes the vulnerable code path. As an interim mitigation until patching, implement strict Content Security Policy headers to limit cross-origin requests, configure web application firewalls to detect and block CSRF patterns targeting the login endpoint, and educate administrators to avoid clicking untrusted links while authenticated to phpBB admin panels. Note that CSRF mitigations like SameSite cookie attributes may interfere with legitimate cross-domain integrations, requiring testing before production deployment. Monitor phpBB security announcements at phpbb.com/security for official vendor guidance, as no formal advisory is referenced in the CVE data and the vendor may issue additional context or hotfixes.

Share

CVE-2025-70810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy