CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2019-16759

CVSS 9.8v3.1pub. 2019-09-24upd. 2025-11-07

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vbulletin

    APP
    Vbulletin
    5.0.0 – 5.5.4

CISA KEV — detailsi

Vendori
vBulletin
Producti
vBulletin
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
May 3, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 maja 2022
CWE
References

Related vulnerabilities

CVE-2020-17496CRITICAL9.8⚠ KEVten sam produkt

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/wi...

CVE-2025-48828CRITICAL9.0PL ✓ten sam produkt

RCE w vBulletin poprzez Template Conditionals — wykonanie dowolnego kodu PHP

CVE-2025-48827CRITICAL10.0PL ✓ten sam produkt

vBulletin — nieautoryzowany dostęp do chronionych metod API (RCE)

CVE-2023-25135CRITICAL9.8ten sam produkt

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted H...

CVE-2020-7373CRITICAL9.8ten sam produkt

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/wi...