Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
Network-reachable forum, but exploitation needs an authenticated user (PR:L), an admin-triggered migration (UI:R), and the narrow pre-3.3.8 upgrade state (AC:H); SQLi yields high confidentiality, partial integrity/availability.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet.
AnalysisAI
SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profile field migration routine. Only forums that were upgraded from a pre-3.3.8 release and have not yet reached 3.3.11 are affected, narrowing the exposed population to a specific upgrade window. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a phpBB forum whose history includes a version older than 3.3.8 and that has not yet been upgraded to 3.3.11 or newer - clean 3.3.8+ installs are not vulnerable; (2) an authenticated forum account able to populate or modify a user profile field with attacker-controlled data (PR:L); and (3) the profile field migration routine being executed, which is typically driven by an administrator during upgrade (UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.0 vector AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L produces a 7.1 score but materially understates the friction: exploitation needs an authenticated forum account (PR:L), user interaction (UI:R) - likely an administrator triggering the migration - and high attack complexity tied to the narrow upgrade window described (forums that came from <3.3.8 and have not yet reached 3.3.11). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A logged-in forum member fills a custom profile field with a crafted payload containing SQL meta-characters, then an administrator of a forum still mid-upgrade from a pre-3.3.8 release triggers the profile field migration; the malicious value is concatenated into a migration SQL statement and executed, letting the attacker exfiltrate user records and password hashes from phpbb_users. No public exploit identified at time of analysis, but the SQLi class and CWE-89 pattern make weaponization straightforward once the vulnerable code path is known. |
| Remediation | Vendor-released patch: phpBB 3.3.11 - upgrade affected forums to 3.3.11 or later, which corrects the migration routine and remediates the SQL injection, per the advisory at https://www.phpbb.com/community/viewtopic.php?t=2672170. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all phpBB deployments and document which versions are currently running; identify affected systems (3.3.8 through 3.3.10). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting defa
Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_var
Account takeover in phpBB via OAuth state-verification flaw enables remote attackers to link a victim's forum account to
Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36382
GHSA-x29j-7g7q-59rw