VYPR
Vendor

PhpBB

phpBB is an Internet forum package written in the PHP scripting language. The name "phpBB" is an abbreviation of PHP Bulletin Board. Available under the GNU General Public License, phpBB is free and open-source.

Founded 2000
Products
66
CVEs
356
Across products
357
Status
Private

Products

66
View all 66 products →

Recent CVEs

356
View all 356 CVEs →
  • CVE-2026-48611CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.01

    Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.

  • CVE-2001-1471HigJul 31, 2001
    risk 0.61cvss 8.8epss 0.08

    prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified…

  • CVE-2025-70810HigApr 9, 2026
    risk 0.57cvss 8.8epss 0.00

    Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism

  • CVE-2025-3014HigMar 31, 2025
    risk 0.54cvss epss 0.00

    Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.

  • CVE-2026-47366HigJun 12, 2026
    risk 0.47cvss 7.2epss 0.00

    Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the…

  • CVE-2018-1000502HigJun 26, 2018
    risk 0.47cvss 7.2epss 0.01

    MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be…

  • CVE-2026-29199HigMay 4, 2026
    risk 0.46cvss 8.1epss 0.00

    phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who…

  • CVE-2018-17128MedSep 17, 2018
    risk 0.44cvss 5.4epss 0.75

    A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.

  • CVE-2018-15596MedAug 28, 2018
    risk 0.43cvss 6.1epss 0.02

    An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't…

  • CVE-2018-10678MedMay 13, 2018
    risk 0.40cvss 6.1epss 0.01

    MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.

  • CVE-2018-10365MedMay 1, 2018
    risk 0.38cvss 5.4epss 0.02

    An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.

  • CVE-2018-6844MedFeb 8, 2018
    risk 0.35cvss 5.4epss 0.01

    MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.

  • CVE-2015-3880MedSep 19, 2017
    risk 0.33cvss 6.1epss 0.02

    Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors.

  • CVE-2018-7305MedFeb 21, 2018
    risk 0.32cvss 4.9epss 0.00

    MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.

  • CVE-2026-48613MedJun 12, 2026
    risk 0.31cvss 5.9epss 0.00

    SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have…

  • CVE-2025-70811MedApr 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.

  • CVE-2018-1000503MedJun 26, 2018
    risk 0.28cvss 4.3epss 0.01

    MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to…

  • CVE-2005-2086Jul 5, 2005
    risk 0.10cvss epss 0.85

    PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.

  • CVE-2007-5009Sep 20, 2007
    risk 0.07cvss epss 0.45

    PHP remote file inclusion vulnerability in language/lang_german/lang_main_album.php in phpBB Plus 1.53, and 1.53a before 20070922, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

  • CVE-2008-0382Jan 22, 2008
    risk 0.06cvss epss 0.42

    Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.