Medium severity5.9NVD Advisory· Published Jun 12, 2026

CVE-2026-48613

Description

SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet.

Affected products

PhpBB/phpBBllm-fuzzy
Range: <3.3.11

Patches

90973a52b46c

[prep-release-3.3.11] Update changelog for 3.3.11

https://github.com/phpbb/phpbbMarc AlexanderOct 16, 2023Fixed in release-3.3.11via release-tag

commit

1 file changed · +5 −0

phpBB/docs/CHANGELOG.html+5 −0 modified

@@ -233,6 +233,11 @@ <h4>Task</h4>
 				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-17149">PHPBB3-17149</a>] - Update authors and pull request template</li>
 				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-17154">PHPBB3-17154</a>] - Update composer and dependencies to latest versions</li>
 			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/SECURITY-132">SECURITY-132</a>] - Limit CAPTCHA attempts at registration for single session</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/SECURITY-279">SECURITY-279</a>] - Escape smilies URL and prevent paths in .pak filename</li>
+			</ul>
 
 			<a name="v3310rc1"></a><h3>Changes since 3.3.10-RC1</h3>
 			<h4>Bug</h4>

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

www.phpbb.com/community/viewtopic.phpnvd

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000