vbulletin

Top products

The 15 most recently published vulnerabilities affecting vbulletin.

• CVE-2025-46171vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume ...5.4Jul 23, 2025
• BDU:2025-04734Уязвимость компонента forumrunner коммерческого веб-форума vBulletin, позволяющая нарушителю осуществить SSRF-атаку7.5Jul 2, 2025
• CVE-2025-48828Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invo...9.0May 27, 2025
• CVE-2025-48827vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?met...10.0May 27, 2025
• CVE-2023-39777A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.5.4Sep 16, 2023
• CVE-2023-25135vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks...9.8Feb 3, 2023
• BDU:2021-05701Уязвимость парсера BBCode коммерческого веб-форума vBulletin, связанная c непринятием мер по защите структуры веб-страницы, позволяющая нарушителю выполнить произвольный JavaScript9.0Dec 1, 2021
• CVE-2020-7373vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplet...9.8Oct 30, 2020
• CVE-2020-25115The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.4.8Sep 3, 2020
• CVE-2020-25116The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.4.8Sep 3, 2020
• CVE-2020-25117The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.4.8Sep 3, 2020
• CVE-2020-25118The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager.4.8Sep 3, 2020
• CVE-2020-25119The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.4.8Sep 3, 2020
• CVE-2020-25120The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.4.8Sep 3, 2020
• CVE-2020-25121The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.4.8Sep 3, 2020