CVE-2019-9826
Description
The fulltext search component in phpBB before 3.2.6 allows Denial of Service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpbb/phpbbPackagist | < 3.2.6 | 3.2.6 |
Affected products
2- phpBB/phpBBdescription
Patches
Vulnerability mechanics
Root cause
"Missing input validation in the fulltext search component allows an attacker to craft search queries that consume excessive server resources."
Attack vector
An unauthenticated or low-privileged attacker sends a specially crafted search request to the fulltext search endpoint. The search component fails to validate or limit the complexity of the input [CWE-20], causing the database or PHP process to exhaust memory or CPU. This results in a denial-of-service condition where the forum becomes unresponsive to legitimate users. The advisory does not specify the exact payload shape, but the vulnerability is triggered through the search functionality accessible to any forum visitor who can perform searches.
Affected code
The bundle does not identify specific files or functions. The vulnerability resides in the fulltext search component of phpBB versions before 3.2.6 [ref_id=1].
What the fix does
The bundle does not include a patch diff. According to the advisory, phpBB addressed this issue in version 3.2.6 by adding input validation and resource limits to the fulltext search component [ref_id=1]. The fix ensures that search queries are properly sanitized and bounded, preventing overly complex or malformed input from causing excessive resource consumption. Administrators are advised to upgrade to phpBB 3.2.6 or later to remediate the vulnerability.
Preconditions
- networkAttacker must be able to reach the phpBB forum over HTTP/HTTPS.
- inputAttacker must be able to submit search queries to the fulltext search endpoint (typically available to unauthenticated users or registered users depending on forum configuration).
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6pgr-x867-h7jxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-9826ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/29/3ghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2019/05/msg00004.htmlmitremailing-listx_refsource_MLIST
- www.phpbb.com/community/viewtopic.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.