VYPR
← All advisories
Unrated severityOSV Advisory· Published Nov 3, 2018· Updated Aug 5, 2024

CVE-2018-18903

CVE-2018-18903

Description

Vanilla 2.6.x before 2.6.4 allows remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated deserialization in Vanilla Forums 2.6.x before 2.6.4 allows remote code execution via the fetchPageInfo function.

Vulnerability

The vulnerability exists in the ImportController class in library/core/functions.general.php. The fetchPageInfo method is reachable by unauthenticated attackers and performs an insecure unserialize() call on user-supplied data. Vanilla Forums versions 2.6.x prior to 2.6.4 are affected. [1]

Exploitation

An unauthenticated attacker can send a crafted HTTP request to the vulnerable endpoint, providing a serialized payload that triggers arbitrary code execution. The attacker does not need any prior authentication or special privileges. The exploit leverages the getimagesize function and domGetImages to achieve remote code execution. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to full compromise of the Vanilla Forums installation. This can result in data theft, site defacement, or further lateral movement within the hosting environment. [1]

Mitigation

The vulnerability is fixed in Vanilla Forums version 2.6.4, released on 2018-10-02. Users should upgrade immediately. No workarounds are available. The vendor's changelog incorrectly described the impact, but the fix is included in that release. [1][2]

References
  1. Old School Pwning with New School Tricks :: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability
  2. Release Vanilla 2.6.4 · vanilla/vanilla

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Vanilla OS/VanillaOSV2 versions
    Vanilla_2.6.1, Vanilla_2.6.3, list+ 1 more
    • (no CPE)range: Vanilla_2.6.1, Vanilla_2.6.3, list
    • (no CPE)range: <2.6.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.