Phpbb/phpbb

This hub aggregates every CVE we track for Phpbb/phpbb, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Phpbb/phpbb.

• CVE-2023-5917phpBB Smiley Pack acp_icons.php main cross site scripting2.4Nov 2, 2023
• CVE-2020-8226A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF.5.8Aug 17, 2020
• CVE-2019-16108phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode.7.5Mar 19, 2020
• CVE-2019-16107Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments.4.3Mar 11, 2020
• CVE-2020-5502phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships.6.5Jan 14, 2020
• CVE-2020-5501phpBB 3.2.8 allows a CSRF attack that can modify a group avatar.4.3Jan 14, 2020
• CVE-2019-16993In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an att...8.8Sep 30, 2019
• CVE-2019-13376phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS6.5Sep 27, 2019
• CVE-2019-11767Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files and services on the local network of the host through the remote avatar upload function.5.8May 5, 2019
• CVE-2019-9826The fulltext search component in phpBB before 3.2.6 allows Denial of Service.7.5May 2, 2019
• CVE-2018-19274Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admi...7.2Nov 17, 2018
• CVE-2017-1000419phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar function resulting allowing an attacker to perform port scanning, requesting internal content and potentially attacking such internal ...7.5Jan 2, 2018
• CVE-2015-3880Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecif...6.1Sep 19, 2017
• CVE-2010-1630Unspecified vulnerability in posting.php in phpBB before 3.0.5 has unknown impact and attack vectors related to the use of a "forum id" in circumstances related to a "global announcement."7.5May 19, 2010
• CVE-2008-6507Unspecified vulnerability in phpBB before 3.0.4 allows attackers to obtain sensitive information via unknown vectors related to the lack of password prompts for a private message that quotes a post...5.0Mar 23, 2009