Unrated severityNVD Advisory· Published May 27, 2025· Updated May 27, 2025

CVE-2025-48828

Description

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

Affected products

Jelsoft/Vbulletinv5
Range: 6.0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

karmainsecurity.com/dont-call-that-protected-method-vbulletin-rcemitre
kevintel.com/CVE-2025-48828mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.059
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000