Skip to main content

UBB.threads EUVDEUVD-2026-37886

| CVE-2026-54223 HIGH
Path Traversal (CWE-22)
2026-06-18 CERT-PL GHSA-jgf8-gg7j-fq24
8.6
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network-reachable admin UI (AV:N/AC:L), template-edit privilege required (PR:H), no user interaction (UI:N); arbitrary file R/W escapes the application's intended file scope so S:C, and RCE yields full C/I/A:H.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 13:32 vuln.today

DescriptionCVE.org

UBB.threads is vulnerable to Path traversal, allowing attackers with privilege to edit templates to read and write any file on the application’s server that application has privileges to, what results in Remote Code Execution. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.

AnalysisAI

Remote code execution in UBB.threads forum software (version 7.7.5 confirmed) is achievable by authenticated users holding template-edit privileges, who can abuse a path traversal weakness to read and write arbitrary files within the web application's privilege scope. CERT-PL reported the issue after vendor contact attempts failed, and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain template-editor credentials
Delivery
Authenticate to UBB.threads admin UI
Exploit
Submit traversal path with PHP payload in template editor
Install
Application writes file into webroot
C2
Request planted file via HTTP
Execute
PHP engine executes payload
Impact
Code execution as web server user

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated UBB.threads account with the 'edit templates' privilege (administrator or equivalent role with template-management rights) - the description states attackers must already have privilege to edit templates, which aligns with the CVSS PR:H rating. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N, VC/VI/VA:H, SC/SI/SA:L, base 8.6) accurately captures the tension here: impact is severe (full read/write plus RCE) but the precondition PR:H meaningfully constrains the attacker pool to accounts already trusted to edit templates - typically administrators or designated template managers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds a UBB.threads administrator or template-manager account - obtained via credential stuffing, phishing of a forum admin, or insider access - opens the template editor and submits a target filename containing traversal sequences (or an absolute path) pointing into the webroot, then saves PHP payload content as the body. On the next HTTP request to the planted file the web server interprets it as code, giving the attacker command execution as the PHP user and a foothold to pivot into the database, harvest member data, or persist via further file writes; no public proof-of-concept is currently identified.
Remediation No vendor-released patch identified at time of analysis - CERT-PL reports that vendor contact attempts were unsuccessful, so operators must rely on compensating controls until UBB Systems publishes a fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running UBB.threads 7.7.5 and audit all user accounts with template-edit privileges; immediately review administrative logs for unauthorized file operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy