Skip to main content

Ubb Threads

7 CVEs product

Monthly

CVE-2026-54224 HIGH This Week

Database-resource exhaustion in UBB.threads forum software (confirmed in version 7.7.5) allows an authenticated low-privileged user to deny service to the entire application by issuing concurrent profile-view requests. The flaw, reported by CERT-PL and tracked as CWE-405 (Asymmetric Resource Consumption), produces high availability impact (CVSS 4.0 VA:H, 7.1) with no confidentiality or integrity loss. There is no public exploit identified at time of analysis and the vulnerability is not on the CISA KEV list.

Denial Of Service Ubb Threads
NVD
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-54223 HIGH This Week

Remote code execution in UBB.threads forum software (version 7.7.5 confirmed) is achievable by authenticated users holding template-edit privileges, who can abuse a path traversal weakness to read and write arbitrary files within the web application's privilege scope. CERT-PL reported the issue after vendor contact attempts failed, and there is no public exploit identified at time of analysis. The flaw escalates a routine administrative capability into full server compromise without requiring user interaction.

Path Traversal RCE Ubb Threads
NVD
CVSS 4.0
8.6
EPSS
0.6%
CVE-2026-54222 HIGH This Week

Authenticated blind SQL injection in UBB.threads forum software version 7.7.5 (and likely other versions) allows administrators with access to the Members section of the Control Panel to extract arbitrary database contents, including user credentials, via time-based or boolean-based SQLi techniques. Reported by CERT-PL after unsuccessful vendor contact, with no public exploit identified at time of analysis and no vendor-released patch.

SQLi Ubb Threads
NVD
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-54221 MEDIUM This Month

Reflected XSS in UBB.threads 7.7.5 enables remote attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL containing malicious input. The vulnerability stems from improper handling of user-supplied data in HTTP requests, with impact scoped to the victim's browser session rather than the server itself. No public exploit code or active exploitation has been identified at time of analysis; vendor contact was unsuccessful, leaving patch status unresolved.

XSS Ubb Threads
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-54220 HIGH This Week

Cross-site request forgery in UBB.threads forum software version 7.7.5 (and potentially earlier versions) allows remote attackers to coerce authenticated forum users - including administrators - into executing unintended state-changing actions by visiting an attacker-controlled page. The flaw was reported by CERT-PL after unsuccessful vendor contact, so no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high impact when an authenticated administrator is targeted, though exploitation requires active user interaction.

CSRF Ubb Threads
NVD
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-54219 MEDIUM This Month

Stored XSS in UBB.threads 7.7.5 permits low-privileged forum members to permanently inject arbitrary JavaScript into post content and user profile fields, which then executes silently in any visitor's browser upon viewing the affected page. The vulnerability was discovered and disclosed by CERT-PL after unsuccessful vendor contact attempts, leaving remediation status unresolved. No public exploit code has been identified and no active exploitation is confirmed, but the persistent nature of the injection vector makes this a meaningful risk to forum users and administrators alike.

XSS Ubb Threads
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2012-5104 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in forums/ubbthreads.php in UBB.threads 7.5.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the Loginname parameter. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Ubb Threads
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
9.5%
EPSS 0% CVSS 7.1
HIGH This Week

Database-resource exhaustion in UBB.threads forum software (confirmed in version 7.7.5) allows an authenticated low-privileged user to deny service to the entire application by issuing concurrent profile-view requests. The flaw, reported by CERT-PL and tracked as CWE-405 (Asymmetric Resource Consumption), produces high availability impact (CVSS 4.0 VA:H, 7.1) with no confidentiality or integrity loss. There is no public exploit identified at time of analysis and the vulnerability is not on the CISA KEV list.

Denial Of Service Ubb Threads
NVD
EPSS 1% CVSS 8.6
HIGH This Week

Remote code execution in UBB.threads forum software (version 7.7.5 confirmed) is achievable by authenticated users holding template-edit privileges, who can abuse a path traversal weakness to read and write arbitrary files within the web application's privilege scope. CERT-PL reported the issue after vendor contact attempts failed, and there is no public exploit identified at time of analysis. The flaw escalates a routine administrative capability into full server compromise without requiring user interaction.

Path Traversal RCE Ubb Threads
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Authenticated blind SQL injection in UBB.threads forum software version 7.7.5 (and likely other versions) allows administrators with access to the Members section of the Control Panel to extract arbitrary database contents, including user credentials, via time-based or boolean-based SQLi techniques. Reported by CERT-PL after unsuccessful vendor contact, with no public exploit identified at time of analysis and no vendor-released patch.

SQLi Ubb Threads
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in UBB.threads 7.7.5 enables remote attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL containing malicious input. The vulnerability stems from improper handling of user-supplied data in HTTP requests, with impact scoped to the victim's browser session rather than the server itself. No public exploit code or active exploitation has been identified at time of analysis; vendor contact was unsuccessful, leaving patch status unresolved.

XSS Ubb Threads
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Cross-site request forgery in UBB.threads forum software version 7.7.5 (and potentially earlier versions) allows remote attackers to coerce authenticated forum users - including administrators - into executing unintended state-changing actions by visiting an attacker-controlled page. The flaw was reported by CERT-PL after unsuccessful vendor contact, so no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high impact when an authenticated administrator is targeted, though exploitation requires active user interaction.

CSRF Ubb Threads
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored XSS in UBB.threads 7.7.5 permits low-privileged forum members to permanently inject arbitrary JavaScript into post content and user profile fields, which then executes silently in any visitor's browser upon viewing the affected page. The vulnerability was discovered and disclosed by CERT-PL after unsuccessful vendor contact attempts, leaving remediation status unresolved. No public exploit code has been identified and no active exploitation is confirmed, but the persistent nature of the injection vector makes this a meaningful risk to forum users and administrators alike.

XSS Ubb Threads
NVD
EPSS 9% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in forums/ubbthreads.php in UBB.threads 7.5.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the Loginname parameter. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Ubb Threads
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy