VYPR

phpBB

by PhpBB

Source repositories

CVEs (119)

  • CVE-2026-48611CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.01

    Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.

  • CVE-2001-1471HigJul 31, 2001
    risk 0.61cvss 8.8epss 0.08

    prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified…

  • CVE-2025-70810HigApr 9, 2026
    risk 0.57cvss 8.8epss 0.00

    Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism

  • CVE-2026-47366HigJun 12, 2026
    risk 0.47cvss 7.2epss 0.00

    Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the…

  • CVE-2026-29199HigMay 4, 2026
    risk 0.46cvss 8.1epss 0.00

    phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who…

  • CVE-2015-3880MedSep 19, 2017
    risk 0.33cvss 6.1epss 0.02

    Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors.

  • CVE-2026-48613MedJun 12, 2026
    risk 0.31cvss 5.9epss 0.00

    SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have…

  • CVE-2025-70811MedApr 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.

  • CVE-2005-2086Jul 5, 2005
    risk 0.10cvss epss 0.85

    PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.

  • CVE-2006-7168Mar 20, 2007
    risk 0.04cvss epss 0.07

    PHP remote file inclusion vulnerability in includes/not_mem.php in the Add Name module for PHP allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

  • CVE-2006-6421Dec 10, 2006
    risk 0.04cvss epss 0.15

    Cross-site scripting (XSS) vulnerability in the private message box implementation (privmsg.php) in phpBB 2.0.x allows remote authenticated users to inject arbitrary web script or HTML via the "Message body" field in a message to a non-existent user.

  • CVE-2005-1193May 16, 2005
    risk 0.04cvss epss 0.16

    The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4)…

  • CVE-2005-0872May 2, 2005
    risk 0.04cvss epss 0.06

    Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the start parameter.

  • CVE-2004-1535Dec 31, 2004
    risk 0.04cvss epss 0.06

    PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code.

  • CVE-2004-2130Dec 23, 2004
    risk 0.04cvss epss 0.07

    Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables.

  • CVE-2002-0902Oct 4, 2002
    risk 0.04cvss epss 0.07

    Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remote attackers to execute Javascript as other phpBB users by including a http:// and a double-quote (") in the [IMG] tag, which bypasses phpBB's security check, terminates the src parameter of the resulting HTML…

  • CVE-2008-1350Mar 17, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in kb.php in Fully Modded phpBB (phpbbfm) 80220 allows remote attackers to execute arbitrary SQL commands via the k parameter in an article action.

  • CVE-2007-5688Oct 29, 2007
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in directory.php in the Multi-Forums (aka Multi Host Forum Pro) module 1.3.3, for phpBB and Invision Power Board (IPB or IP.Board), allow remote attackers to execute arbitrary SQL commands via the (1) go and (2) cat parameters.

  • CVE-2007-5173Oct 3, 2007
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in includes/openid/Auth/OpenID/BBStore.php in phpBB Openid 0.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the openid_root_path parameter.

  • CVE-2007-4653Sep 4, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter in a search action.

Page 1 of 6