Skip to main content

vBulletin CVE-2026-9357

| EUVDEUVD-2026-31572 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-24 VulDB GHSA-8rjw-7777-4jwx
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
CVSS changed
May 26, 2026 - 20:07 NVD
3.5 (LOW) 2.0 (LOW)
Analysis Generated
May 24, 2026 - 06:45 vuln.today

DescriptionCVE.org

A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended redistribution of exploit details to prevent simplified exploitation. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored or reflected cross-site scripting in vBulletin 6.x login component allows authenticated users with low privileges to inject malicious scripts that execute when other users interact with the manipulated login function. Public proof-of-concept exists (CVSS E:P) but detailed exploitation steps are being withheld by VulDB. Vendor did not respond to disclosure, and no patch release has been announced. EPSS data unavailable; not listed in CISA KEV, suggesting limited observed exploitation despite public POC availability.

Technical ContextAI

This vulnerability affects vBulletin 6.x, a PHP-based internet forum software widely deployed for community discussion platforms. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the fundamental cross-site scripting weakness class. The Login component fails to properly sanitize or encode user-controlled input before rendering it in HTML contexts, allowing injection of JavaScript or HTML. vBulletin's login mechanism typically processes username, password, and potentially redirect parameters-any of these could be the injection vector. Given the PR:L requirement in the CVSS vector, an authenticated low-privilege user (standard forum member) must be able to manipulate the login function parameters, suggesting this may be a stored XSS where the attacker pre-positions malicious payloads that trigger when victims access login-related pages, or a reflected XSS requiring social engineering to convince victims to click crafted links.

RemediationAI

No vendor-released patch has been announced for CVE-2026-9357 as of this analysis-vBulletin did not respond to disclosure. Monitor the official vBulletin security announcements page and check for updates to version 6.x that address login component XSS. In the absence of a patch, implement these compensating controls: Deploy web application firewall (WAF) rules to detect and block common XSS payloads in login-related parameters (username, password, redirect URLs), though this provides incomplete protection against sophisticated encoding techniques and may cause false positives blocking legitimate special characters in passwords. Enable Content Security Policy (CSP) headers with strict 'script-src' directives (e.g., 'self' only, no 'unsafe-inline') to prevent injected scripts from executing-however, this may break existing vBulletin JavaScript functionality if the application relies on inline scripts, requiring significant testing and potential code modifications. Restrict authenticated user permissions to the minimum necessary and implement additional monitoring for suspicious login activity patterns. Consider disabling public registration if the forum can operate with a closed user base, eliminating the PR:L attack vector entirely. Review server logs and vBulletin access logs for indicators of exploitation attempts (unusual JavaScript strings in HTTP parameters). Refer to VulDB technical details at https://vuldb.com/vuln/365320/cti for additional context, though full exploit code is withheld.

CVE-2025-48827 CRITICAL POC
10.0 May 27

vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted t

CVE-2016-6195 CRITICAL POC
9.8 Aug 30

SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 bef

CVE-2025-48828 CRITICAL POC
9.0 May 27

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protec

CVE-2015-7808 HIGH POC
7.5 Nov 24

The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PH

CVE-2013-6129 HIGH POC
7.5 Oct 19

The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the

CVE-2013-3522 MEDIUM POC
6.5 May 10

SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier

CVE-2020-17496 CRITICAL POC
9.8 Aug 12

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbe

CVE-2020-12720 CRITICAL POC
9.8 May 08

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. Rated critical

CVE-2019-16759 CRITICAL POC
9.8 Sep 24

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widge

CVE-2017-17672 CRITICAL POC
9.8 Dec 14

In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file delet

CVE-2016-6483 HIGH POC
8.6 Sep 02

The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Le

CVE-2017-17671 CRITICAL POC
9.8 Dec 14

vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an una

Share

CVE-2026-9357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy