Total
52 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46171 | 1 Vbulletin | 1 Vbulletin | 2025-07-28 | N/A | N/A |
| vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum. | |||||
| CVE-2025-48827 | 1 Vbulletin | 1 Vbulletin | 2025-06-25 | N/A | 9.8 CRITICAL |
| vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025. | |||||
| CVE-2025-48828 | 1 Vbulletin | 1 Vbulletin | 2025-06-25 | N/A | 8.1 HIGH |
| Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025. | |||||
| CVE-2023-25135 | 1 Vbulletin | 1 Vbulletin | 2025-03-26 | N/A | 9.8 CRITICAL |
| vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. | |||||
| CVE-2019-16759 | 1 Vbulletin | 1 Vbulletin | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | |||||
| CVE-2020-17496 | 1 Vbulletin | 1 Vbulletin | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. | |||||
| CVE-2020-12720 | 1 Vbulletin | 1 Vbulletin | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. | |||||
| CVE-2020-7373 | 1 Vbulletin | 1 Vbulletin | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability. | |||||
| CVE-2019-17132 | 1 Vbulletin | 1 Vbulletin | 2021-07-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| vBulletin through 5.5.4 mishandles custom avatars. | |||||
| CVE-2020-25121 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options. | |||||
| CVE-2020-25115 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager. | |||||
| CVE-2020-25117 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager. | |||||
| CVE-2020-25116 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager. | |||||
| CVE-2020-25118 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager. | |||||
| CVE-2020-25120 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI. | |||||
| CVE-2020-25119 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual. | |||||
| CVE-2020-25122 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager. | |||||
| CVE-2020-25123 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager. | |||||
| CVE-2020-25124 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. | |||||
| CVE-2017-17671 | 2 Microsoft, Vbulletin | 2 Windows, Vbulletin | 2020-08-14 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. For example, an attacker can make an invalid HTTP request containing PHP code, and then make an index.php?routestring= request with enough instances of ".." to reach an Apache HTTP Server log file. | |||||