Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended redistribution of exploit details to prevent simplified exploitation. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored or reflected cross-site scripting in vBulletin 6.x login component allows authenticated users with low privileges to inject malicious scripts that execute when other users interact with the manipulated login function. Public proof-of-concept exists (CVSS E:P) but detailed exploitation steps are being withheld by VulDB. Vendor did not respond to disclosure, and no patch release has been announced. EPSS data unavailable; not listed in CISA KEV, suggesting limited observed exploitation despite public POC availability.
Technical ContextAI
This vulnerability affects vBulletin 6.x, a PHP-based internet forum software widely deployed for community discussion platforms. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the fundamental cross-site scripting weakness class. The Login component fails to properly sanitize or encode user-controlled input before rendering it in HTML contexts, allowing injection of JavaScript or HTML. vBulletin's login mechanism typically processes username, password, and potentially redirect parameters-any of these could be the injection vector. Given the PR:L requirement in the CVSS vector, an authenticated low-privilege user (standard forum member) must be able to manipulate the login function parameters, suggesting this may be a stored XSS where the attacker pre-positions malicious payloads that trigger when victims access login-related pages, or a reflected XSS requiring social engineering to convince victims to click crafted links.
RemediationAI
No vendor-released patch has been announced for CVE-2026-9357 as of this analysis-vBulletin did not respond to disclosure. Monitor the official vBulletin security announcements page and check for updates to version 6.x that address login component XSS. In the absence of a patch, implement these compensating controls: Deploy web application firewall (WAF) rules to detect and block common XSS payloads in login-related parameters (username, password, redirect URLs), though this provides incomplete protection against sophisticated encoding techniques and may cause false positives blocking legitimate special characters in passwords. Enable Content Security Policy (CSP) headers with strict 'script-src' directives (e.g., 'self' only, no 'unsafe-inline') to prevent injected scripts from executing-however, this may break existing vBulletin JavaScript functionality if the application relies on inline scripts, requiring significant testing and potential code modifications. Restrict authenticated user permissions to the minimum necessary and implement additional monitoring for suspicious login activity patterns. Consider disabling public registration if the forum can operate with a closed user base, eliminating the PR:L attack vector entirely. Review server logs and vBulletin access logs for indicators of exploitation attempts (unusual JavaScript strings in HTTP parameters). Refer to VulDB technical details at https://vuldb.com/vuln/365320/cti for additional context, though full exploit code is withheld.
vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted t
SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 bef
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protec
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PH
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbe
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. Rated critical
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widge
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file delet
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Le
vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an una
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31572
GHSA-8rjw-7777-4jwx