phpbb

Top products

The 15 most recently published vulnerabilities affecting phpbb.

• CVE-2026-48613SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies...5.9Jun 12, 2026
• CVE-2026-48612Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. ...8.0Jun 12, 2026
• CVE-2026-48611Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.9.8Jun 12, 2026
• CVE-2026-47366Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level au...7.2Jun 12, 2026
• CVE-2026-29199phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Hos...8.1May 4, 2026
• CVE-2025-70811Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.4.3Apr 9, 2026
• CVE-2025-70810Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism8.8Apr 9, 2026
• CVE-2023-5917phpBB Smiley Pack acp_icons.php main cross site scripting2.4Nov 2, 2023
• CVE-2020-8226A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF.5.8Aug 17, 2020
• CVE-2019-16108phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode.7.5Mar 19, 2020
• CVE-2019-16107Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments.4.3Mar 11, 2020
• CVE-2020-5502phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships.6.5Jan 14, 2020
• CVE-2020-5501phpBB 3.2.8 allows a CSRF attack that can modify a group avatar.4.3Jan 14, 2020
• CVE-2011-0544phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag.6.1Nov 13, 2019
• CVE-2019-16993In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an att...8.8Sep 30, 2019