Skip to main content

phpBB CVE-2026-48613

| EUVDEUVD-2026-36382 MEDIUM
SQL Injection (CWE-89)
2026-06-12 hackerone GHSA-x29j-7g7q-59rw
5.9
CVSS 3.0 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
5.9 HIGH
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
vuln.today AI
5.9 MEDIUM

Network-reachable forum, but exploitation needs an authenticated user (PR:L), an admin-triggered migration (UI:R), and the narrow pre-3.3.8 upgrade state (AC:H); SQLi yields high confidentiality, partial integrity/availability.

3.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Severity Changed
Jun 12, 2026 - 04:22 NVD
HIGH MEDIUM
CVSS changed
Jun 12, 2026 - 04:22 NVD
7.1 (HIGH) 5.9 (MEDIUM)
Analysis Generated
Jun 12, 2026 - 03:47 vuln.today

DescriptionCVE.org

SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet.

AnalysisAI

SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profile field migration routine. Only forums that were upgraded from a pre-3.3.8 release and have not yet reached 3.3.11 are affected, narrowing the exposed population to a specific upgrade window. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or use forum account
Delivery
Inject SQL payload into profile field
Exploit
Admin runs upgrade migration
Execution
Payload concatenated into migration query
Persist
Database executes injected SQL
Impact
Exfiltrate user table and credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a phpBB forum whose history includes a version older than 3.3.8 and that has not yet been upgraded to 3.3.11 or newer - clean 3.3.8+ installs are not vulnerable; (2) an authenticated forum account able to populate or modify a user profile field with attacker-controlled data (PR:L); and (3) the profile field migration routine being executed, which is typically driven by an administrator during upgrade (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.0 vector AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L produces a 7.1 score but materially understates the friction: exploitation needs an authenticated forum account (PR:L), user interaction (UI:R) - likely an administrator triggering the migration - and high attack complexity tied to the narrow upgrade window described (forums that came from <3.3.8 and have not yet reached 3.3.11). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A logged-in forum member fills a custom profile field with a crafted payload containing SQL meta-characters, then an administrator of a forum still mid-upgrade from a pre-3.3.8 release triggers the profile field migration; the malicious value is concatenated into a migration SQL statement and executed, letting the attacker exfiltrate user records and password hashes from phpbb_users. No public exploit identified at time of analysis, but the SQLi class and CWE-89 pattern make weaponization straightforward once the vulnerable code path is known.
Remediation Vendor-released patch: phpBB 3.3.11 - upgrade affected forums to 3.3.11 or later, which corrects the migration routine and remediates the SQL injection, per the advisory at https://www.phpbb.com/community/viewtopic.php?t=2672170. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all phpBB deployments and document which versions are currently running; identify affected systems (3.3.8 through 3.3.10). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy