Skip to main content

Phpbb CVE-2025-70811

| EUVDEUVD-2025-209385 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-09 mitre
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:22 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
4.3 (MEDIUM)
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2025-209385
CVE Published
Apr 09, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.

AnalysisAI

Cross-site request forgery in phpBB 3.3.15 allows unauthenticated remote attackers to execute arbitrary code through the Admin Control Panel icon management functionality via a malicious link or webpage that tricks an authenticated administrator into performing unwanted actions. The attack requires user interaction (UI:R) and targets only integrity (CVSS score 4.3), though the CVE tags reference RCE, suggesting potential for elevated impact under specific conditions. No public exploit code has been independently confirmed at the time of this analysis.

Technical ContextAI

This vulnerability exploits a cross-site request forgery (CWE-352) weakness in phpBB's Admin Control Panel, specifically in the icon management feature. CSRF attacks bypass the same-origin policy by inducing an authenticated user (typically an administrator) to submit a forged request to a vulnerable endpoint. The icon management functionality likely processes file uploads or configuration changes without adequate CSRF token validation. An attacker crafts a malicious HTML page or link that, when visited by an authenticated admin, automatically submits a request to the vulnerable endpoint. The attack vector is network-based with low complexity (AC:L), meaning no special network conditions or techniques are required beyond standard HTTP requests. The phpBB product (CPE data shows n/a placeholder) version 3.3.15 is the confirmed affected release.

RemediationAI

Upgrade phpBB to version 3.3.16 or later, which includes CSRF token validation fixes for the Admin Control Panel icon management feature. The advisory is available at https://github.com/ariefibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822. As an interim workaround pending patching, administrators should avoid clicking untrusted links or visiting untrusted websites while authenticated to the phpBB Admin Control Panel; consider using separate browser profiles or incognito sessions for administrative tasks, or implement network-based restrictions (IP whitelisting, VPN) to limit Admin Panel access. Verify CSRF token validation is enabled in your phpBB installation configuration. If you cannot upgrade immediately, review the GitHub security advisory for additional mitigation guidance.

Share

CVE-2025-70811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy