threat
engine
.sh
Back
·
··:··
Home
/
Product
/
phpbb group phpbb
Product
phpbb group phpbb
128 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-70811
all versions
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin C
4.3
MEDIUM
CVE-2025-70810
all versions
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login f
8.8
HIGH
CVE-2023-5917
< 3.3.11
A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main o
2.4
LOW
CVE-2020-8226
< 3.2.10
A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF.
5.8
MEDIUM
CVE-2019-16108
all versions
phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode.
7.5
HIGH
CVE-2019-16107
all versions
Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments.
4.3
MEDIUM
CVE-2020-5502
all versions
phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships.
6.5
MEDIUM
CVE-2020-5501
all versions
phpBB 3.2.8 allows a CSRF attack that can modify a group avatar.
4.3
MEDIUM
CVE-2011-0544
>= 3.0.0 and <= 3.0.6
phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag.
6.1
MEDIUM
CVE-2019-16993
<= 3.1.7
In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Admini
8.8
HIGH
CVE-2019-13376
all versions
phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feat
6.5
MEDIUM
CVE-2019-11767
< 3.2.6
Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files and services on the local netw
5.8
MEDIUM
CVE-2019-9826
<= 3.2.5
The fulltext search component in phpBB before 3.2.6 allows Denial of Service.
7.5
HIGH
CVE-2018-19274
< 3.2.4
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by emp
7.2
HIGH
CVE-2017-1000419
all versions
phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar function resulting allowing an attacker to perform port scanning, r
7.5
HIGH
CVE-2015-3880
<= 3.0.14
Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chro
6.1
MEDIUM
CVE-2015-1432
<= 3.0.12
The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, wh
CVE-2015-1431
<= 3.0.12
Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrar
CVE-2010-1630
<= 3.0.4
Unspecified vulnerability in posting.php in phpBB before 3.0.5 has unknown impact and attack vectors related to the use of a "foru
CVE-2010-1627
all versions
feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check permissions for feeds, which allows remote attackers to bypass in
CVE-2008-7143
all versions
phpBB 2.0.23 includes the session ID in a request to modcp.php when the moderator or administrator closes a thread, which allows r
CVE-2008-6507
all versions
Unspecified vulnerability in phpBB before 3.0.4 allows attackers to obtain sensitive information via unknown vectors related to th
CVE-2008-6506
<= 3.0.3
Unspecified vulnerability in phpBB before 3.0.4 allows attackers to bypass intended access restrictions and activate de-activated
CVE-2008-4125
all versions
The search function in phpBB 2.x provides a search_id value that leaks the state of PHP's PRNG, which allows remote attackers to o
CVE-2008-3224
<= 3.0.1
Unspecified vulnerability in phpBB before 3.0.1 has unknown impact and attack vectors related to "urls gone through redirect() bei
CVE-2008-1766
<= 3.0.0
Multiple unspecified vulnerabilities in phpBB before 3.0.1 have unknown impact and attack vectors, related to "two minor security-
CVE-2008-1171
all versions
Multiple PHP remote file inclusion vulnerabilities in the 123 Flash Chat Module for phpBB allow remote attackers to execute arbitr
CVE-2008-0471
all versions
Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages
CVE-2007-5688
all versions
Multiple SQL injection vulnerabilities in directory.php in the Multi-Forums (aka Multi Host Forum Pro) module 1.3.3, for phpBB and
CVE-2007-5173
all versions
PHP remote file inclusion vulnerability in includes/openid/Auth/OpenID/BBStore.php in phpBB Openid 0.2.0 allows remote attackers t
CVE-2007-4653
<= 2.0.22
SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and earlier allows remote attackers t
CVE-2007-1695
all versions
PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remote attackers to execute arbitra
CVE-2006-7174
all versions
PHP remote file inclusion vulnerability in includes/functions.php in the Dimension module of phpBB allows remote attackers to exec
CVE-2006-7168
all versions
PHP remote file inclusion vulnerability in includes/not_mem.php in the Add Name module for PHP allows remote attackers to execute
CVE-2006-2220
all versions
phpBB 2.0.20 does not properly verify user-specified input variables used as limits to SQL queries, which allows remote attackers
CVE-2006-2219
all versions
phpBB 2.0.20 does not verify user-specified input variable types before being passed to type-dependent functions, which allows rem
CVE-2006-6841
all versions
Certain forms in phpBB before 2.0.22 lack session checks, which has unknown impact and remote attack vectors.
CVE-2006-6840
all versions
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to a "negative start paramet
CVE-2006-6839
all versions
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to "criteria for 'bad' redir
CVE-2006-6593
all versions
PHP remote file inclusion vulnerability in zufallscodepart.php in AMAZONIA MOD for phpBB allows remote attackers to execute arbitr
CVE-2006-6508
all versions
Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.21 allows remote authenticated users to send unauthorized messages as
CVE-2006-6421
all versions
Cross-site scripting (XSS) vulnerability in the private message box implementation (privmsg.php) in phpBB 2.0.x allows remote auth
CVE-2006-5435
<= 2.0.10
PHP remote file inclusion vulnerability in groupcp.php in phpBB 2.0.10 and earlier allows remote attackers to execute arbitrary PH
CVE-2006-5390
all versions
PHP remote file inclusion vulnerability in includes/functions_mod_user.php in the ACP User Registration (MMW) 1.00 module for phpB
CVE-2006-5312
<= 0.0.5
PHP remote file inclusion vulnerability in shoutbox.php in the Ajax Shoutbox 0.0.5 and earlier module for phpBB allows remote atta
CVE-2006-5209
all versions
PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Admin Topic Action Logging Mod 0.95 and earlier
CVE-2006-5191
<= 1.0
PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0
CVE-2006-4758
all versions
phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload ar
CVE-2006-4450
all versions
usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, allows remote attackers to use the server as a web proxy by s
CVE-2006-3940
all versions
Multiple SQL injection vulnerabilities in phpbb-Auction allow remote attackers to execute arbitrary SQL commands via (1) the ar pa
CVE-2006-2865
all versions
PHP remote file inclusion vulnerability in template.php in phpBB 2 allows remote attackers to execute arbitrary PHP code via a URL
CVE-2006-2360
all versions
SQL injection vulnerability in charts.php in the Chart mod for phpBB allows remote attackers to execute arbitrary SQL commands via
CVE-2006-2359
all versions
Cross-site scripting (XSS) vulnerability in charts.php in the Chart mod for phpBB allows remote attackers to inject arbitrary web
CVE-2006-2245
all versions
PHP remote file inclusion vulnerability in auction\auction_common.php in Auction mod 1.3m for phpBB allows remote attackers to exe
CVE-2006-2134
<= 2.0.2
PHP remote file inclusion vulnerability in /includes/kb_constants.php in Knowledge Base Mod for PHPbb 2.0.2 and earlier allows rem
CVE-2006-1896
all versions
Unspecified vulnerability in phpBB allows remote authenticated users with Administration Panel access to execute arbitrary PHP cod
CVE-2006-1895
all versions
Direct static code injection vulnerability in includes/template.php in phpBB allows remote authenticated users with write access t
CVE-2006-1775
all versions
Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML
CVE-2006-1603
all versions
Cross-site scripting (XSS) vulnerability in profile.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or
CVE-2006-0632
all versions
The gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to create the activation key ("va
CVE-2006-0438
all versions
Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows
CVE-2006-0437
all versions
Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web scri
CVE-2006-0450
all versions
phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users th
CVE-2006-0063
all versions
Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject a
CVE-2005-3537
all versions
A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, pro
CVE-2005-3536
all versions
SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote attackers to execute arbitrary SQL commands via the topic type.
CVE-2005-4358
all versions
admin/admin_disallow.php in phpBB 2.0.18 allows remote attackers to obtain the installation path via a direct request with a non-e
CVE-2005-4357
all versions
Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowed HTML tags" is enabled, allows remote attackers to inject a
CVE-2005-3799
all versions
phpBB 2.0.18 allows remote attackers to obtain sensitive information via a large SQL query, which generates an error message that
CVE-2005-3420
all versions
usercp_register.php in phpBB 2.0.17 allows remote attackers to modify regular expressions and execute PHP code via the signature_b
CVE-2005-3419
all versions
SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 allows remote attackers to execute arbitrary SQL commands via t
CVE-2005-3418
all versions
Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.17 and earlier allow remote attackers to inject arbitrary web scr
CVE-2005-3417
all versions
phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attackers to modify global variables
CVE-2005-3416
all versions
phpBB 2.0.17 and earlier, when register_globals is enabled and the session_start function has not been called to handle a session,
CVE-2005-3415
all versions
phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister global variables by setting both
CVE-2005-3310
all versions
Interpretation conflict in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to in
CVE-2005-2161
all versions
Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote attackers to inject arbitrary web script or HTML via nested
CVE-2005-2086
all versions
PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary
CVE-2005-1193
all versions
The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php
CVE-2005-1290
all versions
Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web scr
CVE-2005-1235
all versions
auction_my_auctions.php in phpbb-Auction 1.2m and earlier allows remote attackers to obtain sensitive information via an invalid m
CVE-2005-1234
all versions
Multiple SQL injection vulnerabilities in phpbb-Auction allow remote attackers to execute arbitrary SQL commands via the (1) u par
CVE-2005-1196
all versions
SQL injection vulnerability in kb.php in the Knowledge Base module for phpBB allows remote attackers to obtain sensitive informati
CVE-2005-1116
all versions
Cross-site scripting (XSS) vulnerability in the Calendar module for phpBB allow remote attackers to inject arbitrary web script or
CVE-2005-1115
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Photo Album 2.0.53 module for phpBB allow remote attackers to inject arbitr
CVE-2005-1114
all versions
Multiple SQL injection vulnerabilities in album_search.php in Photo Album 2.0.53 for phpBB allow remote attackers to execute arbit
CVE-2005-0872
all versions
Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 module for phpBB allows remote atta
CVE-2005-0871
all versions
calendar_scheduler.php in Topic Calendar 1.0.1 module for phpBB, when running on a Microsoft IIS server, allows remote attackers t
CVE-2005-0673
all versions
Cross-site scripting (XSS) vulnerability in usercp_register.php for phpBB 2.0.13 allows remote attackers to inject arbitrary web s
CVE-2005-0659
all versions
phpBB 2.0.13 and earlier allows remote attackers to obtain sensitive information via a direct request to oracle.php, which reveals
CVE-2005-0614
all versions
sessions.php in phpBB 2.0.12 and earlier allows remote attackers to gain administrator privileges via the autologinid value in a c
CVE-2005-1047
all versions
Meilad File upload script (up.php) mod for phpBB 2.0.x does not properly limit the types of files that can be uploaded, which allo
CVE-2005-0259
all versions
phpBB 2.0.11, and possibly other versions, with remote avatars and avatar uploading enabled, allows local users to read arbitrary
CVE-2005-0258
all versions
Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versio
CVE-2005-0603
all versions
viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter contai
CVE-2004-2350
all versions
SQL injection vulnerability in search.php for phpBB 1.0 through 2.0.6 allows remote attackers to execute arbitrary SQL and gain pr
CVE-2004-2054
all versions
CRLF injection vulnerability in PhpBB 2.0.4 and 2.0.9 allows remote attackers to perform HTTP Response Splitting attacks to modify
CVE-2004-1809
all versions
Cross-site scripting (XSS) vulnerability in phpBB 2.0.6d and earlier allows remote attackers to inject arbitrary web script or HTM
CVE-2004-1535
all versions
PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arb
CVE-2004-2130
all versions
Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary scri
CVE-2004-0339
all versions
Cross-site scripting (XSS) vulnerability in ViewTopic.php in phpBB, possibly 2.0.6c and earlier, allows remote attackers to execut
CVE-2004-1315
all versions
viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highl
CVE-2004-0730
all versions
Multiple cross-site scripting (XSS) vulnerabilities in PhpBB 2.0.8 allow remote attackers to inject arbitrary web script or HTML v
CVE-2004-0729
all versions
PhpBB 2.0.8 allows remote attackers to gain sensitive information via an invalid (1) category_rows parameter to index.php, (2) faq
CVE-2004-2055
all versions
Cross-site scripting (XSS) vulnerability in search.php for PhpBB 2.0.4 and 2.0.9 allows remote attackers to inject arbitrary HTMl
CVE-2004-1950
all versions
phpBB 2.0.8a and earlier trusts the IP address that is in the X-Forwarded-For in the HTTP header, which allows remote attackers to
CVE-2004-1943
all versions
PHP remote file inclusion vulnerability in album_portal.php in phpBB modified by Przemo 1.8 allows remote attackers to execute arb
CVE-2003-1530
all versions
SQL injection vulnerability in privmsg.php in phpBB 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands vi
CVE-2003-1373
all versions
Directory traversal vulnerability in auth.php for PhpBB 1.4.0 through 1.4.4 allows remote attackers to read and include arbitrary
CVE-2003-1244
all versions
SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords
CVE-2003-1215
all versions
SQL injection vulnerability in groupcp.php for phpBB 2.0.6 and earlier allows group moderators to perform unauthorized activities
CVE-2003-1216
all versions
SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier allows remote attackers to execute arbitrary SQL and gain pr
CVE-2003-0486
<= 2.0.5
SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the
CVE-2003-0484
all versions
Cross-site scripting (XSS) vulnerability in viewtopic.php for phpBB allows remote attackers to insert arbitrary web script via the
CVE-2002-1537
all versions
admin_ug_auth.php in phpBB 2.0.0 allows local users to gain administrator privileges by directly calling admin_ug_auth.php with mo
CVE-2002-2346
all versions
phpBB 2.0 through 2.0.3 generates names for uploaded avatar files with the hex-encoded IP address of the client system, which allo
CVE-2002-2287
all versions
PHP remote file inclusion vulnerability in quick_reply.php for phpBB Advanced Quick Reply Hack 1.0.0 and 1.1.0 allows remote attac
CVE-2002-2255
all versions
Cross-site scripting (XSS) vulnerability in search.php in phpBB 2.0.3 and possibly earlier versions allows remote attackers to inj
CVE-2002-2176
all versions
SQL injection vulnerability in Gender MOD 1.1.3 allows remote attackers to gain administrative access via the user_level parameter
CVE-2002-1894
all versions
Cross-site scripting (XSS) vulnerability in viewtopic.php in phpBB 2.0.3 allows remote attackers to inject arbitrary web script or
CVE-2002-1707
all versions
install.php in phpBB 2.0 through 2.0.1, when "allow_url_fopen" and "register_globals" variables are set to "on", allows remote att
CVE-2002-0902
all versions
Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remote attackers to execute Javascript as other phpBB users by i
CVE-2002-0533
all versions
phpBB 1.4.4 and earlier with BBcode allows remote attackers to cause a denial of service (CPU consumption) and corrupt the databas
CVE-2002-0475
all versions
Cross-site scripting vulnerability in phpBB 1.4.4 and earlier allows remote attackers to execute arbitrary Javascript on web clien
CVE-2002-0473
all versions
db.php in phpBB 2.0 (aka phpBB2) RC-3 and earlier allows remote attackers to execute arbitrary code from remote servers via the ph
CVE-2001-1482
all versions
SQL injection vulnerability in bb_memberlist.php for phpBB 1.4.2 allows remote attackers to execute arbitrary SQL queries via the
CVE-2001-1472
all versions
SQL injection vulnerability in prefs.php in phpBB 1.4.0 and 1.4.1 allows remote authenticated users to execute arbitrary SQL comma
CVE-2001-1471
<= 1.4.0
prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value
8.8
HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin