VYPR

Simple Machines Forum

by Simple Machines

CVEs (42)

  • CVE-2018-10305CriApr 24, 2018
    risk 0.64cvss 9.8epss 0.01

    The MessageSearch2 function in PersonalMessage.php in Simple Machines Forum (SMF) before 2.0.15 does not properly use the possible_users variable in a query, which might allow attackers to bypass intended access restrictions.

  • CVE-2016-5726CriFeb 9, 2017
    risk 0.64cvss 9.8epss 0.02

    Packages.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the themechanges array parameter.

  • CVE-2016-5727HigFeb 9, 2017
    risk 0.57cvss 8.8epss 0.02

    LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop.

  • CVE-2022-26982Apr 5, 2022
    risk 0.04cvss epss 0.09

    SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. NOTE: the vendor's position is that administrators are intended to have the…

  • CVE-2008-6971Aug 13, 2009
    risk 0.04cvss epss 0.07

    The password reset functionality in Simple Machines Forum (SMF) 1.0.x before 1.0.14, 1.1.x before 1.1.6, and 2.0 before 2.0 beta 4 includes clues about the random number generator state within a hidden form field and generates predictable validation codes, which allows remote…

  • CVE-2008-6741Apr 21, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands by setting the db_character_set parameter to a multibyte character set such as big5, which causes the addslashes PHP function to…

  • CVE-2008-6659Apr 7, 2009
    risk 0.03cvss epss 0.03

    Directory traversal vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote authenticated users to configure arbitrary local files for execution via directory traversal sequences in the value of the theme_dir field during a…

  • CVE-2008-6658Apr 7, 2009
    risk 0.03cvss epss 0.02

    Directory traversal vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote authenticated administrators to install packages from arbitrary directories via a .. (dot dot) in the package parameter during an install2 action,…

  • CVE-2008-6657Apr 7, 2009
    risk 0.03cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote attackers to hijack the authentication of admins for requests that install packages via the package parameter in an install2 action.

  • CVE-2008-6544Mar 30, 2009
    risk 0.03cvss epss 0.03

    Multiple PHP remote file inclusion vulnerabilities in Simple Machines Forum (SMF) 1.1.4 allow remote attackers to execute arbitrary PHP code via a URL in the (1) settings[default_theme_dir] parameter to Sources/Subs-Graphics.php and (2) settings[default_theme_dir] parameter to…

  • CVE-2007-5646Oct 23, 2007
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in Sources/Search.php in Simple Machines Forum (SMF) 1.1.3, when MySQL 5 is used, allows remote attackers to execute arbitrary SQL commands via the userspec parameter in a search2 action to index.php.

  • CVE-2007-0399Jan 22, 2007
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action.

  • CVE-2006-5503Oct 25, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in index.php in Simple Machines Forum (SMF) 1.1 RC2 allows remote attackers to inject arbitrary web script or HTML via the action parameter.

  • CVE-2004-1996May 5, 2004
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.0 allows remote attackers to inject arbitrary web script via the size tag.

  • CVE-2025-67163Dec 18, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter.

  • CVE-2013-4395Feb 12, 2020
    risk 0.00cvss epss 0.01

    Simple Machines Forum (SMF) through 2.0.5 has XSS

  • CVE-2019-12490Jan 22, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Simple Machines Forum (SMF) before 2.0.16. Reverse tabnabbing can occur because of use of _blank for external links.

  • CVE-2013-7466Mar 7, 2019
    risk 0.00cvss epss 0.04

    Simple Machines Forum (SMF) 2.0.4 allows local file inclusion, with resultant remote code execution, in install.php via ../ directory traversal in the db_type parameter if install.php remains present after installation.

  • CVE-2013-7236Apr 29, 2014
    risk 0.00cvss epss 0.02

    Simple Machines Forum (SMF) 2.0.6, 1.1.19, and earlier allows remote attackers to impersonate arbitrary users via a Unicode homoglyph character in a username.

  • CVE-2013-7235Apr 29, 2014
    risk 0.00cvss epss 0.02

    Simple Machines Forum (SMF) before 1.1.19 and 2.x before 2.0.6 allows remote attackers to impersonate arbitrary users via multiple space characters characters.

Page 1 of 3