threat
engine
.sh
Back
·
··:··
Home
/
Product
/
jelsoft vbulletin
Product
jelsoft vbulletin
103 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-46171
all versions
vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user ha
5.4
MEDIUM
CVE-2025-48828
all versions
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template en
9.0
CRITICAL
CVE-2025-48827
>= 5.0.0 and <= 5.7.5
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods wh
10.0
CRITICAL
CVE-2023-39777
<= 6.0.0
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arb
5.4
MEDIUM
CVE-2023-25135
all versions
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that tri
9.8
CRITICAL
CVE-2020-7373
>= 5.5.4 and <= 5.6.2
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer
9.8
CRITICAL
CVE-2020-25124
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.
4.8
MEDIUM
CVE-2020-25123
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager.
4.8
MEDIUM
CVE-2020-25122
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager.
4.8
MEDIUM
CVE-2020-25121
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.
4.8
MEDIUM
CVE-2020-25120
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.
4.8
MEDIUM
CVE-2020-25119
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.
4.8
MEDIUM
CVE-2020-25118
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager.
4.8
MEDIUM
CVE-2020-25117
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.
4.8
MEDIUM
CVE-2020-25116
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.
4.8
MEDIUM
CVE-2020-25115
all versions
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.
4.8
MEDIUM
CVE-2020-17496
>= 5.5.4 and <= 5.6.2
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer
9.8
CRITICAL
CVE-2020-12720
>= 5.0.0 and < 5.5.6
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
9.8
CRITICAL
CVE-2019-17271
<= 5.5.4
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
4.9
MEDIUM
CVE-2019-17132
<= 5.5.4
vBulletin through 5.5.4 mishandles custom avatars.
9.8
CRITICAL
CVE-2019-17131
< 5.5.4
vBulletin before 5.5.4 allows clickjacking.
4.3
MEDIUM
CVE-2019-17130
<= 5.5.4
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
6.5
MEDIUM
CVE-2019-16759
>= 5.0.0 and <= 5.5.4
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php rout
9.8
CRITICAL
CVE-2018-15493
all versions
vBulletin 5.4.3 has an Open Redirect.
6.1
MEDIUM
CVE-2018-6200
>= 3.0.0 and <= 3.8.11
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
6.1
MEDIUM
CVE-2017-17672
>= 5.0.1 and <= 5.3.3
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, u
9.8
CRITICAL
CVE-2017-17671
>= 5.0.1 and <= 5.3.3
vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticat
9.8
CRITICAL
CVE-2015-3419
all versions
vBulletin 5.x through 5.1.6 allows remote authenticated users to bypass authorization checks and inject private messages into conv
6.5
MEDIUM
CVE-2014-9469
all versions
Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3.
6.1
MEDIUM
CVE-2017-7569
<= 5.2.6
In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior
8.6
HIGH
CVE-2016-6483
all versions
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x
8.6
HIGH
CVE-2016-6195
<= 4.2.2
SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch
9.8
CRITICAL
CVE-2015-7808
all versions
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object i
CVE-2014-9438
all versions
Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijac
CVE-2014-8670
all versions
Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and cond
CVE-2014-2021
<= 4.2.2
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remo
CVE-2014-2022
<= 4.2.2
SQL injection vulnerability in includes/api/4/breadcrumbs_create.php in vBulletin 4.2.2, 4.2.1, 4.2.0 PL2, and earlier allows remo
CVE-2014-5102
all versions
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via
CVE-2014-3135
all versions
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web scri
CVE-2013-6129
all versions
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid
CVE-2013-3522
all versions
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows re
CVE-2011-5251
<= 4.1.3
Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitra
CVE-2012-4686
all versions
SQL injection vulnerability in announcement.php in vBulletin 4.1.10 allows remote attackers to execute arbitrary SQL commands via
CVE-2012-4328
all versions
Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4
CVE-2012-3844
all versions
Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a
CVE-2008-6256
all versions
SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to exec
CVE-2008-6255
all versions
Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL comma
CVE-2008-4706
all versions
SQL injection vulnerability in VBGooglemap Hotspot Edition 1.0.3, a vBulletin module, allows remote attackers to execute arbitrary
CVE-2008-3773
all versions
Cross-site scripting (XSS) vulnerability in vBulletin 3.7.2 PL1 and 3.6.10 PL3, when "Show New Private Message Notification Pop-Up
CVE-2008-3184
all versions
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, all
CVE-2008-2744
all versions
Cross-site scripting (XSS) vulnerability in vBulletin 3.6.10 and 3.7.1 allows remote attackers to inject arbitrary web script or H
CVE-2008-2460
all versions
SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q
CVE-2007-4453
all versions
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.8 allow remote attackers to inject arbitrary web code or HTML
CVE-2007-4120
all versions
Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers to execute arbitrary PHP code
CVE-2007-3326
all versions
Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect visitors to arbitrary local fil
CVE-2007-2912
<= 3.6.4
Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows
CVE-2007-2911
<= 3.6.5
SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators
CVE-2007-2910
<= 3.6.6
Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.6.7 PL1 allows remote attackers to inject arbitrary web scr
CVE-2007-2909
<= 3.6.6
Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin 3.6.x before 3.6.7 allows remote attackers to inject
CVE-2007-2908
<= 3.6.5
Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin before 3.6.6 allows remote attackers to inject arbit
CVE-2007-1573
<= 3.6.5
SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to exe
CVE-2007-1342
<= 3.6.5
Cross-site scripting (XSS) vulnerability in admincp/index.php in Jelsoft vBulletin 3.6.5 and earlier allows remote attackers to in
CVE-2007-1292
<= 3.5.8
SQL injection vulnerability in inlinemod.php in Jelsoft vBulletin before 3.5.8, and before 3.6.5 in the 3.6.x series, might allow
CVE-2007-0869
all versions
Cross-site scripting (XSS) vulnerability in the Attachment Manager (admincp/attachment.php) in Jelsoft vBulletin 3.6.4 allows remo
CVE-2007-0830
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the Admin Control Panel (AdminCP) in Jelsoft vBulletin 3.6.4 allow remote a
CVE-2006-6779
all versions
Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin allows remote attackers to inject arbitrary web script or HTML via a
CVE-2006-6040
all versions
Multiple cross-site scripting (XSS) vulnerabilities in admincp/index.php in Jelsoft vBulletin 3.6.x allow remote attackers to inje
CVE-2006-5104
all versions
SQL injection vulnerability in global.php in Jelsoft vBulletin 2.x allows remote attackers to execute arbitrary SQL commands via t
CVE-2006-4273
all versions
Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin 3.5.4 and 3.6.0 allows remote attackers to inject arbitrary web scri
CVE-2006-4272
all versions
Jelsoft vBulletin 3.5.4 allows remote attackers to register multiple arbitrary users and cause a denial of service (resource consu
CVE-2006-4271
all versions
PHP remote file inclusion vulnerability in install/upgrade_301.php in Jelsoft vBulletin 3.5.4 allows remote attackers to execute a
CVE-2006-3253
all versions
Cross-site scripting (XSS) vulnerability in member.php in vBulletin 3.5.x allows remote attackers to inject arbitrary web script o
CVE-2006-2805
all versions
SQL injection vulnerability in VBulletin 3.0.10 allows remote attackers to execute arbitrary SQL commands via the featureid parame
CVE-2006-2335
all versions
Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and processes them in a way that allows remote authenticated adm
CVE-2006-2018
all versions
SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL commands via the e
CVE-2006-1816
all versions
PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and 3.5.4 allows remote attackers to execute arbitrary code via
CVE-2006-1040
all versions
Cross-site scripting (XSS) vulnerability in vBulletin 3.0.12 and 3.5.3 allows remote attackers to inject arbitrary web script or H
CVE-2006-0080
all versions
Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbi
CVE-2005-4621
all versions
Cross-site scripting (XSS) vulnerability in the editavatar page in vBulletin 3.5.1 allows remote attackers to inject arbitrary web
CVE-2005-3025
all versions
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.0.7 and earlier allow remote attackers to inject arbitrary web
CVE-2005-3024
all versions
Multiple SQL injection vulnerabilities in vBulletin 3.0.7 and earlier allow remote attackers to execute arbitrary SQL commands via
CVE-2005-3023
all versions
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.0.9 and earlier allow remote attackers to inject arbitrary web
CVE-2005-3022
all versions
Multiple SQL injection vulnerabilities in vBulletin 3.0.9 and earlier allow remote attackers to execute arbitrary SQL commands via
CVE-2005-3021
all versions
image.php in vBulletin 3.0.9 and earlier allows remote attackers with access to the administrator panel to upload arbitrary files
CVE-2005-3020
all versions
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin before 3.0.9 allow remote attackers to inject arbitrary web scrip
CVE-2005-3019
all versions
Multiple SQL injection vulnerabilities in vBulletin before 3.0.9 allow remote attackers to execute arbitrary SQL commands via the
CVE-2005-0429
all versions
Direct code injection vulnerability in forumdisplay.php in vBulletin 3.0 through 3.0.4, when showforumusers is enabled, allows rem
CVE-2005-0511
all versions
misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute
CVE-2004-2695
all versions
SQL injection vulnerability in the Authorize.net callback code (subscriptions/authorize.php) in Jelsoft vBulletin 3.0 through 3.0.
CVE-2004-2288
all versions
Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBulletin allows remote attackers to spoof parts of a website via
CVE-2004-2076
all versions
Cross-site scripting (XSS) vulnerability in search.php for Jelsoft vBulletin 3.0.0 RC4 allows remote attackers to inject arbitrary
CVE-2004-1823
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Jelsoft vBulletin 2.0 beta 3 through 3.0 can4 allows remote attackers to in
CVE-2004-1515
all versions
SQL injection vulnerability in (1) ttlast.php and (2) last10.php in vBulletin 3.0.x allows remote attackers to execute arbitrary S
CVE-2004-0620
all versions
Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to in
CVE-2004-0091
all versions
NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in register.php for unknown versions o
CVE-2004-0036
all versions
SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive info
CVE-2003-0295
all versions
Cross-site scripting (XSS) vulnerability in private.php for vBulletin 3.0.0 Beta 2 allows remote attackers to inject arbitrary web
CVE-2002-2235
all versions
member2.php in vBulletin 2.2.9 and earlier does not properly restrict the $perpage variable to be an integer, which causes an erro
CVE-2002-1922
all versions
Cross-site scripting (XSS) vulnerability in global.php in Jelsoft vBulletin 2.0.0 through 2.2.8 allows remote attackers to inject
CVE-2002-1679
all versions
Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin 2.2.0 allows remote attackers to execute arbitrary script as other u
CVE-2002-1678
all versions
Cross-site scripting (XSS) vulnerability in memberlist.php in Jelsoft vBulletin 2.0 rc 2 through 2.2.4 allows remote attackers to
CVE-2002-1660
<= 2.1.9
calendar.php in vBulletin before 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the comma
CVE-2001-0475
<= 1.1.5
index.php in Jelsoft vBulletin does not properly initialize a PHP variable that is used to store template information, which allow
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin