VYPR
Vendor

Jelsoft

Products
22
CVEs
118
Across products
124
Status
Private

Products

22

Recent CVEs

118
View all 118 CVEs →
  • CVE-2016-6195CriAug 30, 2016
    risk 0.72cvss 9.8epss 0.68

    SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in…

  • CVE-2017-17672CriDec 14, 2017
    risk 0.68cvss 9.8epss 0.15

    In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which…

  • CVE-2014-2023CriOct 26, 2017
    risk 0.67cvss 9.8epss 0.04

    Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in…

  • CVE-2017-17671CriDec 14, 2017
    risk 0.64cvss 9.8epss 0.03

    vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is…

  • CVE-2014-9463HigSep 15, 2017
    risk 0.61cvss 8.8epss 0.15

    functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.

  • CVE-2016-6483HigSep 2, 2016
    risk 0.60cvss 8.6epss 0.12

    The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1…

  • CVE-2017-7569HigApr 6, 2017
    risk 0.56cvss 8.6epss 0.01

    In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037.

  • CVE-2015-3419MedSep 19, 2017
    risk 0.42cvss 6.5epss 0.01

    vBulletin 5.x through 5.1.6 allows remote authenticated users to bypass authorization checks and inject private messages into conversations via vectors related to an input validation failure.

  • CVE-2018-6200MedJan 25, 2018
    risk 0.40cvss 6.1epss 0.03

    vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.

  • CVE-2014-9469MedAug 28, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3.

  • CVE-2026-9357LowMay 24, 2026
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is…

  • CVE-2020-17496KEVAug 12, 2020
    risk 0.23cvss epss 0.88

    vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.

  • CVE-2019-16759KEVSep 24, 2019
    risk 0.23cvss epss 1.00

    vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

  • CVE-2020-12720May 7, 2020
    risk 0.11cvss epss 0.89

    vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

  • CVE-2025-48827May 27, 2025
    risk 0.09cvss epss 0.70

    vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

  • CVE-2025-48828May 27, 2025
    risk 0.09cvss epss 0.48

    Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass…

  • CVE-2015-7808Nov 24, 2015
    risk 0.09cvss epss 0.81

    The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.

  • CVE-2023-25135Feb 3, 2023
    risk 0.07cvss epss 0.24

    vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.…

  • CVE-2013-6129Oct 19, 2013
    risk 0.07cvss epss 0.52

    The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013.

  • CVE-2005-0511Feb 21, 2005
    risk 0.06cvss epss 0.36

    misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter.