Skip to main content

Phpbb

5 CVEs product

Monthly

CVE-2026-48613 MEDIUM This Month

SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profile field migration routine. Only forums that were upgraded from a pre-3.3.8 release and have not yet reached 3.3.11 are affected, narrowing the exposed population to a specific upgrade window. No public exploit identified at time of analysis, and EPSS data was not provided.

SQLi Phpbb
NVD VulDB
CVSS 3.0
5.9
EPSS
0.0%
CVE-2026-48612 HIGH This Week

Account takeover in phpBB via OAuth state-verification flaw enables remote attackers to link a victim's forum account to an attacker-controlled identity provider account. Successful exploitation requires the victim to click an attacker-crafted link while authenticated, after which the attacker can authenticate as the victim through the linked external provider. No public exploit identified at time of analysis, but a vendor community advisory has been published.

CSRF Phpbb
NVD
CVSS 3.0
8.0
EPSS
0.0%
CVE-2026-47366 HIGH This Week

Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions beyond their authorized scope through the Administration Control Panel (ACP), enabling elevation to full administrative control over the forum. The flaw stems from improper verification of access permissions when permissions are modified via the ACP, and no public exploit identified at time of analysis. With CVSS 7.2 (PR:H) and no KEV listing, this is a meaningful but not panic-level risk that primarily threatens multi-admin phpBB deployments where administrative duties are intentionally segmented.

Authentication Bypass Privilege Escalation Phpbb
NVD
CVSS 3.0
7.2
EPSS
0.0%
CVE-2026-48611 CRITICAL Act Now

Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting default installations even when OAuth is not configured or enabled. Remote unauthenticated attackers can gain unauthorized access to arbitrary accounts on the forum platform, with no public exploit identified at time of analysis despite the critical 9.8 CVSS score.

Authentication Bypass Phpbb
NVD
CVSS 3.0
9.8
EPSS
0.1%
CVE-2026-29199 PHP HIGH PATCH GHSA This Week

Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_vars is disabled. Attackers manipulating HTTP Host headers can redirect password reset links to attacker-controlled domains, enabling credential theft and account takeover. CVSS 8.1 with network vector and no authentication required, though EPSS exploitation probability is low (0.02%, 4th percentile), suggesting limited observed exploitation activity. Vendor-released fix available in phpBB 3.3.16.

Code Injection Phpbb
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
EPSS 0% CVSS 5.9
MEDIUM This Month

SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profile field migration routine. Only forums that were upgraded from a pre-3.3.8 release and have not yet reached 3.3.11 are affected, narrowing the exposed population to a specific upgrade window. No public exploit identified at time of analysis, and EPSS data was not provided.

SQLi Phpbb
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Account takeover in phpBB via OAuth state-verification flaw enables remote attackers to link a victim's forum account to an attacker-controlled identity provider account. Successful exploitation requires the victim to click an attacker-crafted link while authenticated, after which the attacker can authenticate as the victim through the linked external provider. No public exploit identified at time of analysis, but a vendor community advisory has been published.

CSRF Phpbb
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions beyond their authorized scope through the Administration Control Panel (ACP), enabling elevation to full administrative control over the forum. The flaw stems from improper verification of access permissions when permissions are modified via the ACP, and no public exploit identified at time of analysis. With CVSS 7.2 (PR:H) and no KEV listing, this is a meaningful but not panic-level risk that primarily threatens multi-admin phpBB deployments where administrative duties are intentionally segmented.

Authentication Bypass Privilege Escalation Phpbb
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting default installations even when OAuth is not configured or enabled. Remote unauthenticated attackers can gain unauthorized access to arbitrary accounts on the forum platform, with no public exploit identified at time of analysis despite the critical 9.8 CVSS score.

Authentication Bypass Phpbb
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_vars is disabled. Attackers manipulating HTTP Host headers can redirect password reset links to attacker-controlled domains, enabling credential theft and account takeover. CVSS 8.1 with network vector and no authentication required, though EPSS exploitation probability is low (0.02%, 4th percentile), suggesting limited observed exploitation activity. Vendor-released fix available in phpBB 3.3.16.

Code Injection Phpbb
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy