Vbulletin

CVEs (76)

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2016-6195	Cri	0.74	9.8	0.85	Aug 30, 2016	SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016.
CVE-2016-6483	Hig	0.60	8.6	0.16	Sep 2, 2016	The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code.
CVE-2017-7569	Hig	0.56	8.6	0.00	Apr 6, 2017	In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037.
CVE-2015-3419	Med	0.42	6.5	0.00	Sep 19, 2017	vBulletin 5.x through 5.1.6 allows remote authenticated users to bypass authorization checks and inject private messages into conversations via vectors related to an input validation failure.
CVE-2014-9469	Med	0.40	6.1	0.00	Aug 28, 2017	Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3.
CVE-2005-0511		0.10	—	0.82	Feb 21, 2005	misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter.
CVE-2025-48828		0.09	—	0.74	May 27, 2025	Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
CVE-2025-48827		0.09	—	0.69	May 27, 2025	vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
CVE-2015-7808		0.09	—	0.79	Nov 24, 2015	The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.
CVE-2013-6129		0.09	—	0.78	Oct 19, 2013	The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013.
CVE-2013-3522		0.08	—	0.56	May 10, 2013	SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.
CVE-2007-2908		0.04	—	0.07	May 30, 2007	Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin before 3.6.6 allows remote attackers to inject arbitrary web script or HTML via the title field in a single add action.
CVE-2006-3253		0.04	—	0.07	Jun 28, 2006	Cross-site scripting (XSS) vulnerability in member.php in vBulletin 3.5.x allows remote attackers to inject arbitrary web script or HTML via the u parameter. NOTE: the vendor has disputed this report, stating that they have been unable to replicate the issue and that "the userid parameter is run through our filtering system as an unsigned integer.
CVE-2002-1660		0.04	—	0.08	Dec 31, 2002	calendar.php in vBulletin before 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the command parameter.
CVE-2014-2021		0.03	—	0.01	Oct 25, 2014	Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.
CVE-2014-2022		0.03	—	0.01	Oct 15, 2014	SQL injection vulnerability in includes/api/4/breadcrumbs_create.php in vBulletin 4.2.2, 4.2.1, 4.2.0 PL2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the conceptid argument in an xmlrpc API request.
CVE-2012-4686		0.03	—	0.00	Aug 28, 2012	SQL injection vulnerability in announcement.php in vBulletin 4.1.10 allows remote attackers to execute arbitrary SQL commands via the announcementid parameter.
CVE-2008-3773		0.03	—	0.04	Aug 22, 2008	Cross-site scripting (XSS) vulnerability in vBulletin 3.7.2 PL1 and 3.6.10 PL3, when "Show New Private Message Notification Pop-Up" is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a private message subject (aka newpm[title]).
CVE-2008-3184		0.03	—	0.03	Jul 15, 2008	Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code.
CVE-2008-2744		0.03	—	0.04	Jun 17, 2008	Cross-site scripting (XSS) vulnerability in vBulletin 3.6.10 and 3.7.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors and an "obscure method." NOTE: the vector is probably in the redirect parameter to the Admin Control Panel (admincp/index.php).

Page 1 of 4