phpBB
by PhpBB
Source repositories
CVEs (119)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-48611 | Cri | 0.64 | 9.8 | 0.01 | Jun 12, 2026 | Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations. | ||
| CVE-2001-1471 | Hig | 0.61 | 8.8 | 0.08 | Jul 31, 2001 | prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified… | ||
| CVE-2025-70810 | Hig | 0.57 | 8.8 | 0.00 | Apr 9, 2026 | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | ||
| CVE-2026-47366 | Hig | 0.47 | 7.2 | 0.00 | Jun 12, 2026 | Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the… | ||
| CVE-2026-29199 | Hig | 0.46 | 8.1 | 0.00 | May 4, 2026 | phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who… | ||
| CVE-2015-3880 | Med | 0.33 | 6.1 | 0.02 | Sep 19, 2017 | Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors. | ||
| CVE-2026-48613 | Med | 0.31 | 5.9 | 0.00 | Jun 12, 2026 | SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have… | ||
| CVE-2025-70811 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2026 | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | ||
| CVE-2005-2086 | 0.10 | — | 0.85 | Jul 5, 2005 | PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code. | |||
| CVE-2006-7168 | 0.04 | — | 0.07 | Mar 20, 2007 | PHP remote file inclusion vulnerability in includes/not_mem.php in the Add Name module for PHP allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. | |||
| CVE-2006-6421 | 0.04 | — | 0.15 | Dec 10, 2006 | Cross-site scripting (XSS) vulnerability in the private message box implementation (privmsg.php) in phpBB 2.0.x allows remote authenticated users to inject arbitrary web script or HTML via the "Message body" field in a message to a non-existent user. | |||
| CVE-2005-1193 | 0.04 | — | 0.16 | May 16, 2005 | The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4)… | |||
| CVE-2005-0872 | 0.04 | — | 0.06 | May 2, 2005 | Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the start parameter. | |||
| CVE-2004-1535 | 0.04 | — | 0.06 | Dec 31, 2004 | PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code. | |||
| CVE-2004-2130 | 0.04 | — | 0.07 | Dec 23, 2004 | Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables. | |||
| CVE-2002-0902 | 0.04 | — | 0.07 | Oct 4, 2002 | Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remote attackers to execute Javascript as other phpBB users by including a http:// and a double-quote (") in the [IMG] tag, which bypasses phpBB's security check, terminates the src parameter of the resulting HTML… | |||
| CVE-2008-1350 | 0.03 | — | 0.01 | Mar 17, 2008 | SQL injection vulnerability in kb.php in Fully Modded phpBB (phpbbfm) 80220 allows remote attackers to execute arbitrary SQL commands via the k parameter in an article action. | |||
| CVE-2007-5688 | 0.03 | — | 0.01 | Oct 29, 2007 | Multiple SQL injection vulnerabilities in directory.php in the Multi-Forums (aka Multi Host Forum Pro) module 1.3.3, for phpBB and Invision Power Board (IPB or IP.Board), allow remote attackers to execute arbitrary SQL commands via the (1) go and (2) cat parameters. | |||
| CVE-2007-5173 | 0.03 | — | 0.03 | Oct 3, 2007 | PHP remote file inclusion vulnerability in includes/openid/Auth/OpenID/BBStore.php in phpBB Openid 0.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the openid_root_path parameter. | |||
| CVE-2007-4653 | 0.03 | — | 0.01 | Sep 4, 2007 | SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter in a search action. |
- risk 0.64cvss 9.8epss 0.01
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.
- risk 0.61cvss 8.8epss 0.08
prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified…
- risk 0.57cvss 8.8epss 0.00
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism
- risk 0.47cvss 7.2epss 0.00
Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the…
- risk 0.46cvss 8.1epss 0.00
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who…
- risk 0.33cvss 6.1epss 0.02
Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- risk 0.31cvss 5.9epss 0.00
SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have…
- risk 0.28cvss 4.3epss 0.00
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.
- CVE-2005-2086Jul 5, 2005risk 0.10cvss —epss 0.85
PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.
- CVE-2006-7168Mar 20, 2007risk 0.04cvss —epss 0.07
PHP remote file inclusion vulnerability in includes/not_mem.php in the Add Name module for PHP allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
- CVE-2006-6421Dec 10, 2006risk 0.04cvss —epss 0.15
Cross-site scripting (XSS) vulnerability in the private message box implementation (privmsg.php) in phpBB 2.0.x allows remote authenticated users to inject arbitrary web script or HTML via the "Message body" field in a message to a non-existent user.
- CVE-2005-1193May 16, 2005risk 0.04cvss —epss 0.16
The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4)…
- CVE-2005-0872May 2, 2005risk 0.04cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the start parameter.
- CVE-2004-1535Dec 31, 2004risk 0.04cvss —epss 0.06
PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code.
- CVE-2004-2130Dec 23, 2004risk 0.04cvss —epss 0.07
Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables.
- CVE-2002-0902Oct 4, 2002risk 0.04cvss —epss 0.07
Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remote attackers to execute Javascript as other phpBB users by including a http:// and a double-quote (") in the [IMG] tag, which bypasses phpBB's security check, terminates the src parameter of the resulting HTML…
- CVE-2008-1350Mar 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in kb.php in Fully Modded phpBB (phpbbfm) 80220 allows remote attackers to execute arbitrary SQL commands via the k parameter in an article action.
- CVE-2007-5688Oct 29, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in directory.php in the Multi-Forums (aka Multi Host Forum Pro) module 1.3.3, for phpBB and Invision Power Board (IPB or IP.Board), allow remote attackers to execute arbitrary SQL commands via the (1) go and (2) cat parameters.
- CVE-2007-5173Oct 3, 2007risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in includes/openid/Auth/OpenID/BBStore.php in phpBB Openid 0.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the openid_root_path parameter.
- CVE-2007-4653Sep 4, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter in a search action.
Page 1 of 6