Skip to main content

UBB.threads CVE-2026-54224

| EUVDEUVD-2026-37887 HIGH
Asymmetric Resource Consumption (Amplification) (CWE-405)
2026-06-18 CERT-PL GHSA-r4cc-xcx2-vp28
7.1
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable, low-complexity abuse of a normal feature by any authenticated user, no UI; only availability is affected (database exhaustion), no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 13:33 vuln.today

DescriptionCVE.org

UBB.threads is vulnerable to Denial of Service (DoS). By sending multiple concurrent requests to view any user profile on instances with many registered users, an authenticated attacker can easily exhaust database resources and completely deny access to the application for other users. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.

AnalysisAI

Database-resource exhaustion in UBB.threads forum software (confirmed in version 7.7.5) allows an authenticated low-privileged user to deny service to the entire application by issuing concurrent profile-view requests. The flaw, reported by CERT-PL and tracked as CWE-405 (Asymmetric Resource Consumption), produces high availability impact (CVSS 4.0 VA:H, 7.1) with no confidentiality or integrity loss. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register forum account
Delivery
Authenticate to UBB.threads
Exploit
Script concurrent profile-view GETs
Execution
Trigger amplified DB queries
Persist
Exhaust database connection pool
Impact
Application unavailable to all users

Vulnerability AssessmentAI

Exploitation Attacker must hold a valid authenticated forum account (CVSS PR:L) and the target must be a UBB.threads instance - confirmed 7.7.5, possibly other versions - that has accumulated a large user base, since the per-profile query cost scales with total registered users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent but moderate: CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H scores 7.1, reflecting network-reachable, low-complexity, authenticated exploitation with availability-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a normal forum account on a large public UBB.threads 7.7.5 community, then scripts a few dozen parallel HTTP GETs against /ubbthreads.php?ubb=showprofile&User=... using their session cookie. …
Remediation No vendor-released patch identified at time of analysis - vendor contact attempts by CERT-PL were unsuccessful, so operators must apply compensating controls. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all UBB.threads instances in production and confirm version 7.7.5 status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy