PhpBB
phpBB is an Internet forum package written in the PHP scripting language. The name "phpBB" is an abbreviation of PHP Bulletin Board. Available under the GNU General Public License, phpBB is free and open-source.
Products
66- 119 CVEs
- 104 CVEs
- 74 CVEs
- 17 CVEs
- 4 CVEs
- 4 CVEs
- 3 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- View all 66 products →
Recent CVEs
356| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-48611 | Cri | 0.64 | 9.8 | 0.01 | Jun 12, 2026 | Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations. | ||
| CVE-2001-1471 | Hig | 0.61 | 8.8 | 0.08 | Jul 31, 2001 | prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified… | ||
| CVE-2025-70810 | Hig | 0.57 | 8.8 | 0.00 | Apr 9, 2026 | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | ||
| CVE-2025-3014 | Hig | 0.54 | — | 0.00 | Mar 31, 2025 | Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references. | ||
| CVE-2026-47366 | Hig | 0.47 | 7.2 | 0.00 | Jun 12, 2026 | Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the… | ||
| CVE-2018-1000502 | Hig | 0.47 | 7.2 | 0.01 | Jun 26, 2018 | MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be… | ||
| CVE-2026-29199 | Hig | 0.46 | 8.1 | 0.00 | May 4, 2026 | phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who… | ||
| CVE-2018-17128 | Med | 0.44 | 5.4 | 0.75 | Sep 17, 2018 | A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode. | ||
| CVE-2018-15596 | Med | 0.43 | 6.1 | 0.02 | Aug 28, 2018 | An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't… | ||
| CVE-2018-10678 | Med | 0.40 | 6.1 | 0.01 | May 13, 2018 | MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks. | ||
| CVE-2018-10365 | Med | 0.38 | 5.4 | 0.02 | May 1, 2018 | An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized. | ||
| CVE-2018-6844 | Med | 0.35 | 5.4 | 0.01 | Feb 8, 2018 | MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen. | ||
| CVE-2015-3880 | Med | 0.33 | 6.1 | 0.02 | Sep 19, 2017 | Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors. | ||
| CVE-2018-7305 | Med | 0.32 | 4.9 | 0.00 | Feb 21, 2018 | MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts. | ||
| CVE-2026-48613 | Med | 0.31 | 5.9 | 0.00 | Jun 12, 2026 | SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have… | ||
| CVE-2025-70811 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2026 | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | ||
| CVE-2018-1000503 | Med | 0.28 | 4.3 | 0.01 | Jun 26, 2018 | MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to… | ||
| CVE-2005-2086 | 0.10 | — | 0.85 | Jul 5, 2005 | PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code. | |||
| CVE-2007-5009 | 0.07 | — | 0.45 | Sep 20, 2007 | PHP remote file inclusion vulnerability in language/lang_german/lang_main_album.php in phpBB Plus 1.53, and 1.53a before 20070922, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. | |||
| CVE-2008-0382 | 0.06 | — | 0.42 | Jan 22, 2008 | Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php. |
- risk 0.64cvss 9.8epss 0.01
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.
- risk 0.61cvss 8.8epss 0.08
prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified…
- risk 0.57cvss 8.8epss 0.00
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism
- risk 0.54cvss —epss 0.00
Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.
- risk 0.47cvss 7.2epss 0.00
Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the…
- risk 0.47cvss 7.2epss 0.01
MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be…
- risk 0.46cvss 8.1epss 0.00
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who…
- risk 0.44cvss 5.4epss 0.75
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
- risk 0.43cvss 6.1epss 0.02
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't…
- risk 0.40cvss 6.1epss 0.01
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.
- risk 0.38cvss 5.4epss 0.02
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
- risk 0.35cvss 5.4epss 0.01
MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.
- risk 0.33cvss 6.1epss 0.02
Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- risk 0.32cvss 4.9epss 0.00
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
- risk 0.31cvss 5.9epss 0.00
SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have…
- risk 0.28cvss 4.3epss 0.00
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.
- risk 0.28cvss 4.3epss 0.01
MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to…
- CVE-2005-2086Jul 5, 2005risk 0.10cvss —epss 0.85
PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.
- CVE-2007-5009Sep 20, 2007risk 0.07cvss —epss 0.45
PHP remote file inclusion vulnerability in language/lang_german/lang_main_album.php in phpBB Plus 1.53, and 1.53a before 20070922, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
- CVE-2008-0382Jan 22, 2008risk 0.06cvss —epss 0.42
Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.