Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
552276.1%CRITICAL

Related CVEs

52
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2025-46171vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.MEDIUM5.416.3%Jul 23, 2025
CVE-2025-48828Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.HIGH8.198.7%May 27, 2025
CVE-2025-48827vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.CRITICAL9.899.3%May 27, 2025
CVE-2023-39777A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.MEDIUM5.430.5%Sep 16, 2023
CVE-2023-25135vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.CRITICAL9.8Feb 3, 2023
CVE-2020-7373vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.CRITICAL9.898.7%Oct 30, 2020
CVE-2020-25124The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.MEDIUM4.842.0%Sep 3, 2020
CVE-2020-25123The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager.MEDIUM4.842.0%Sep 3, 2020
CVE-2020-25122The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager.MEDIUM4.842.0%Sep 3, 2020
CVE-2020-25121The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.MEDIUM4.847.3%Sep 3, 2020
CVE-2020-25120The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.MEDIUM4.842.0%Sep 3, 2020
CVE-2020-25119The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.MEDIUM4.847.0%Sep 3, 2020
CVE-2020-25118The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager.MEDIUM4.842.0%Sep 3, 2020
CVE-2020-25117The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.MEDIUM4.842.0%Sep 3, 2020
CVE-2020-25116The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.MEDIUM4.842.0%Sep 3, 2020
CVE-2020-25115The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.MEDIUM4.842.0%Sep 3, 2020
CVE-2020-17496vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.CRITICAL9.8KEV99.7%Aug 12, 2020
CVE-2020-12720vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.CRITICAL9.899.8%May 8, 2020
CVE-2019-17271vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.MEDIUM4.970.0%Oct 8, 2019
CVE-2019-17132vBulletin through 5.5.4 mishandles custom avatars.CRITICAL9.895.6%Oct 4, 2019