CRITICAL🇵🇱 Wersja polska

CVE-2025-48828

CVSS 9.0v3.1pub. 2025-05-27upd. 2025-06-25

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Vbulletin

    APP
    Vbulletin
    6.0.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-17496CRITICAL9.8⚠ KEVten sam produkt

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/wi...

CVE-2019-16759CRITICAL9.8⚠ KEVten sam produkt

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/re...

CVE-2025-48827CRITICAL10.0PL ✓ten sam produkt

vBulletin — nieautoryzowany dostęp do chronionych metod API (RCE)

CVE-2023-25135CRITICAL9.8ten sam produkt

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted H...

CVE-2020-7373CRITICAL9.8ten sam produkt

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/wi...