VYPR

Vendor CVEs

PhpBB

All CVEs

356 total · sorted by risk
  • CVE-2026-48611CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.01

    Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.

  • CVE-2001-1471HigJul 31, 2001
    risk 0.61cvss 8.8epss 0.08

    prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified…

  • CVE-2025-70810HigApr 9, 2026
    risk 0.57cvss 8.8epss 0.00

    Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism

  • CVE-2025-3014HigMar 31, 2025
    risk 0.54cvss epss 0.00

    Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.

  • CVE-2026-47366HigJun 12, 2026
    risk 0.47cvss 7.2epss 0.00

    Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the…

  • CVE-2018-1000502HigJun 26, 2018
    risk 0.47cvss 7.2epss 0.01

    MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be…

  • CVE-2026-29199HigMay 4, 2026
    risk 0.46cvss 8.1epss 0.00

    phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who…

  • CVE-2018-17128MedSep 17, 2018
    risk 0.44cvss 5.4epss 0.75

    A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.

  • CVE-2018-15596MedAug 28, 2018
    risk 0.43cvss 6.1epss 0.02

    An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't…

  • CVE-2018-10678MedMay 13, 2018
    risk 0.40cvss 6.1epss 0.01

    MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.

  • CVE-2018-10365MedMay 1, 2018
    risk 0.38cvss 5.4epss 0.02

    An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.

  • CVE-2018-6844MedFeb 8, 2018
    risk 0.35cvss 5.4epss 0.01

    MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.

  • CVE-2015-3880MedSep 19, 2017
    risk 0.33cvss 6.1epss 0.02

    Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors.

  • CVE-2018-7305MedFeb 21, 2018
    risk 0.32cvss 4.9epss 0.00

    MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.

  • CVE-2026-48613MedJun 12, 2026
    risk 0.31cvss 5.9epss 0.00

    SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have…

  • CVE-2025-70811MedApr 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.

  • CVE-2018-1000503MedJun 26, 2018
    risk 0.28cvss 4.3epss 0.01

    MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to…

  • CVE-2005-2086Jul 5, 2005
    risk 0.10cvss epss 0.85

    PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.

  • CVE-2007-5009Sep 20, 2007
    risk 0.07cvss epss 0.45

    PHP remote file inclusion vulnerability in language/lang_german/lang_main_album.php in phpBB Plus 1.53, and 1.53a before 20070922, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

  • CVE-2008-0382Jan 22, 2008
    risk 0.06cvss epss 0.42

    Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.

  • CVE-2006-7168Mar 20, 2007
    risk 0.04cvss epss 0.07

    PHP remote file inclusion vulnerability in includes/not_mem.php in the Add Name module for PHP allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

  • CVE-2006-6421Dec 10, 2006
    risk 0.04cvss epss 0.15

    Cross-site scripting (XSS) vulnerability in the private message box implementation (privmsg.php) in phpBB 2.0.x allows remote authenticated users to inject arbitrary web script or HTML via the "Message body" field in a message to a non-existent user.

  • CVE-2006-2245May 9, 2006
    risk 0.04cvss epss 0.08

    PHP remote file inclusion vulnerability in auction\auction_common.php in Auction mod 1.3m for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

  • CVE-2006-2151May 3, 2006
    risk 0.04cvss epss 0.11

    PHP remote file inclusion vulnerability in toplist.php in phpBB TopList 1.3.8 and earlier, when register_globals is enabled, allows remote attackers to include arbitrary files via the phpbb_root_path parameter.

  • CVE-2006-2152May 3, 2006
    risk 0.04cvss epss 0.08

    PHP remote file inclusion vulnerability in admin/addentry.php in phpBB Advanced Guestbook 2.4.0 and earlier, when register_globals is enabled, allows remote attackers to include arbitrary files via the phpbb_root_path parameter.

  • CVE-2005-1193May 16, 2005
    risk 0.04cvss epss 0.16

    The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4)…

  • CVE-2005-0872May 2, 2005
    risk 0.04cvss epss 0.06

    Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the start parameter.

  • CVE-2004-1535Dec 31, 2004
    risk 0.04cvss epss 0.06

    PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code.

  • CVE-2004-2130Dec 23, 2004
    risk 0.04cvss epss 0.07

    Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables.

  • CVE-2002-0902Oct 4, 2002
    risk 0.04cvss epss 0.07

    Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remote attackers to execute Javascript as other phpBB users by including a http:// and a double-quote (") in the [IMG] tag, which bypasses phpBB's security check, terminates the src parameter of the resulting HTML…

  • CVE-2018-14575Mar 17, 2019
    risk 0.03cvss epss 0.02

    Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.

  • CVE-2009-2230Jun 26, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka MyBulletinBoard) before 1.4.7 allows remote authenticated users to execute arbitrary SQL commands via the birthdayprivacy parameter.

  • CVE-2008-6314Feb 27, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tag_board.php in the Tag Board module 4.0 and earlier for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete action.

  • CVE-2008-6301Feb 26, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in shoutbox_view.php in the Small ShoutBox module 1.4 for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete action.

  • CVE-2008-6198Feb 20, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.

  • CVE-2008-1565Mar 31, 2008
    risk 0.03cvss epss 0.02

    Directory traversal vulnerability in forum/irc/irc.php in the PJIRC 0.5 module for phpBB allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the phpEx parameter.

  • CVE-2008-1512Mar 25, 2008
    risk 0.03cvss epss 0.02

    Directory traversal vulnerability in admin/admin_xs.php in eXtreme Styles module (XS-Mod) 2.3.1 and 2.4.0 for phpBB allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the phpEx parameter. NOTE: some of these details are obtained from third party…

  • CVE-2008-1350Mar 17, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in kb.php in Fully Modded phpBB (phpbbfm) 80220 allows remote attackers to execute arbitrary SQL commands via the k parameter in an article action.

  • CVE-2008-1305Mar 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in filebase.php in the Filebase mod for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0787Feb 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php.

  • CVE-2007-6223Dec 4, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in garage.php in phpBB Garage 1.2.0 Beta3 allows remote attackers to execute arbitrary SQL commands via the make_id parameter in a search action in browse mode.

  • CVE-2007-5688Oct 29, 2007
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in directory.php in the Multi-Forums (aka Multi Host Forum Pro) module 1.3.3, for phpBB and Invision Power Board (IPB or IP.Board), allow remote attackers to execute arbitrary SQL commands via the (1) go and (2) cat parameters.

  • CVE-2007-5173Oct 3, 2007
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in includes/openid/Auth/OpenID/BBStore.php in phpBB Openid 0.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the openid_root_path parameter.

  • CVE-2007-4984Sep 19, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Ktauber.com StylesDemo mod for phpBB 2.0.xx allows remote attackers to execute arbitrary SQL commands via the s parameter.

  • CVE-2007-4653Sep 4, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter in a search action.

  • CVE-2007-3935Jul 21, 2007
    risk 0.03cvss epss 0.04

    PHP remote file inclusion vulnerability in link_main.php in the SupaNav 1.0.0 module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

  • CVE-2007-2211Apr 24, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action.

  • CVE-2007-1961Apr 11, 2007
    risk 0.03cvss epss 0.02

    PHP remote file inclusion vulnerability in mutant_functions.php in the Mutant 0.9.2 portal for phpBB 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

  • CVE-2007-1963Apr 11, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.

  • CVE-2007-1818Apr 2, 2007
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in MOD_forum_fields_parse.php in the Forum picture and META tags 1.7 module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

Page 1 of 8