Phpbb vulnerabilities
41 known vulnerabilities affecting phpbb/phpbb.
Total CVEs
41
CISA KEV
0
Public exploits
6
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH15MEDIUM23
Vulnerabilities
Page 1 of 3
CVE-2007-0762P3HIGHCVSS 7.5PoCvbuild_1002007-02-06
CVE-2007-0762 [HIGH] CVE-2007-0762: PHP remote file inclusion vulnerability in includes/functions.php in phpBB++ Build 100 allows remote
PHP remote file inclusion vulnerability in includes/functions.php in phpBB++ Build 100 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
nvd
CVE-2026-48611P2CRITICALCVSS 9.8≥ 3.3.0, ≤ 3.3.162026-06-12
CVE-2026-48611 [CRITICAL] CWE-287 CVE-2026-48611: Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth i
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.
nvd
CVE-2007-4653P3HIGHCVSS 7.5PoC≤ 2.0.222007-09-04
CVE-2007-4653 [HIGH] CWE-89 CVE-2007-4653: SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and ear
SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter in a search action.
nvd
CVE-2006-5191P3MEDIUMCVSS 5.1PoC≤ 1.02006-10-10
CVE-2006-5191 [MEDIUM] CWE-94 CVE-2006-5191: PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Stati
PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
nvd
CVE-2003-1530P3HIGHCVSS 7.5PoCv2.0.32003-12-31
CVE-2003-1530 [HIGH] CWE-89 CVE-2003-1530: SQL injection vulnerability in privmsg.php in phpBB 2.0.3 and earlier allows remote attackers to exe
SQL injection vulnerability in privmsg.php in phpBB 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the mark[] parameter.
nvd
CVE-2001-1471P4HIGHCVSS 8.8PoC≤ 1.4.02001-07-31
CVE-2001-1471 [HIGH] CWE-665 CVE-2001-1471: prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code
prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified by the user and later used in an eval statement.
nvd
CVE-2019-25685P3HIGHCVSS 8.7≤ 3.2.3v3.2.32026-04-05
CVE-2019-25685 [HIGH] CWE-22 CVE-2019-25685: phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload
phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Attackers can upload a crafted zip file containing serialized PHP objects that execute arbitrary code when deserialized through the imagick parameter in attachment settin
cvelistv5nvd
CVE-2025-70810P3HIGHCVSS 8.8v3.3.152026-04-09
CVE-2025-70810 [HIGH] CWE-352 CVE-2025-70810: Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism
nvd
CVE-2018-19274P3HIGHCVSS 7.2fixed in 3.2.42018-11-17
CVE-2018-19274 [HIGH] CWE-502 CVE-2018-19274: Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution t
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
ghsanvdosv
CVE-2026-48612P3HIGHCVSS 8.0≥ 3.3.0, ≤ 3.3.162026-06-12
CVE-2026-48612 [HIGH] CWE-352 CVE-2026-48612: Improper state verification in the OAuth implementation could allow an attacker to manipulate the au
Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover.
nvd
CVE-2026-47366P3HIGHCVSS 7.2≥ 3.3.0, ≤ 3.3.162026-06-12
CVE-2026-47366 [HIGH] CWE-284 CVE-2026-47366: Improper verification of access permissions when modifying permissions through the Administration Co
Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface.
nvd
CVE-2026-29199P3HIGHCVSS 8.1fixed in 3.3.16≥ 3.0.0, ≤ 3.3.152026-05-04
CVE-2026-29199 [HIGH] CWE-640 CVE-2026-29199: phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poiso
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or mis
ghsanvd
CVE-2019-16993P3HIGHCVSS 8.8≤ 3.1.72019-09-30
CVE-2019-16993 [HIGH] CWE-352 CVE-2019-16993: In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on
In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them.
ghsanvdosv
CVE-2017-1000419P3HIGHCVSS 7.5v3.2.02018-01-02
CVE-2017-1000419 [HIGH] CWE-918 CVE-2017-1000419: phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar function resulting allowing an attack
phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar function resulting allowing an attacker to perform port scanning, requesting internal content and potentially attacking such internal services via the web application.
ghsanvdosv
CVE-2026-48613P3MEDIUMCVSS 5.9≥ 3.3.8, ≤ 3.3.162026-06-12
CVE-2026-48613 [MEDIUM] CWE-89 CVE-2026-48613: SQL injection vulnerability in phpBB profile field migration due to improper handling of user-suppli
SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet.
nvd
CVE-2019-16108P3HIGHCVSS 7.5v3.2.72020-03-20
CVE-2019-16108 [HIGH] CWE-94 CVE-2019-16108: phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through
phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode.
ghsanvdosv
CVE-2002-2255P4MEDIUMCVSS 4.3PoCv2.0.32002-12-31
CVE-2002-2255 [MEDIUM] CWE-79 CVE-2002-2255: Cross-site scripting (XSS) vulnerability in search.php in phpBB 2.0.3 and possibly earlier versions
Cross-site scripting (XSS) vulnerability in search.php in phpBB 2.0.3 and possibly earlier versions allows remote attackers to inject arbitrary web script or HTML via the search_username parameter in searchuser mode.
nvd
CVE-2019-9826P4HIGHCVSS 7.5≤ 3.2.52019-05-02
CVE-2019-9826 [HIGH] CWE-20 CVE-2019-9826: The fulltext search component in phpBB before 3.2.6 allows Denial of Service.
The fulltext search component in phpBB before 3.2.6 allows Denial of Service.
ghsanvdosv
CVE-2019-11767P4MEDIUMCVSS 5.8fixed in 3.2.62019-05-05
CVE-2019-11767 [MEDIUM] CWE-918 CVE-2019-11767: Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files
Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files and services on the local network of the host through the remote avatar upload function.
ghsanvdosv
CVE-2015-1432P4MEDIUMCVSS 6.8≤ 3.0.122015-02-10
CVE-2015-1432 [MEDIUM] CWE-352 CVE-2015-1432: The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not prop
The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.
nvd
1 / 3Next →