What is the CVSS score of CVE-2026-25923?

CVE-2026-25923 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2026-25923?

Organizations using classical threaded view. face critical risk from CVE-2026-25923, a unrestricted file upload vulnerability rated CVSS 9.1.

PHP CVE-2026-25923

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-02-09 security-advisories@github.com

PHP Deserialization File Upload My Little Forum

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 09, 2026 - 22:16 nvd

CRITICAL 9.1

DescriptionNVD

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.

AnalysisAI

my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.

RemediationAI

Within 24 hours: Identify all affected systems running classical threaded view. and apply vendor patches immediately. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-25923 vulnerability details – vuln.today

Back

PHP CVE-2026-25923

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code