Unrated severityNVD Advisory· Published Feb 9, 2026· Updated Feb 11, 2026

Phar Deserialization leading to Arbitrary File Deletion in my little forum

CVE-2026-25923

Description

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.

Affected products

My Little Forum/Mylittleforumllm-create
Range: <20260208.1
My-Little-Forum/mylittleforumv5
Range: < 20260208.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1mitrex_refsource_MISC
github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fwmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000