Every CVE whose affected-product data names Phpbb, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (38)
CVE-2008-1766 — CVSS 10.0 (critical): Multiple unspecified vulnerabilities in phpBB before 3.0.1 have unknown impact and attack vectors, related to "two minor security-related…
CVE-2008-3224 — CVSS 10.0 (critical): Unspecified vulnerability in phpBB before 3.0.1 has unknown impact and attack vectors related to "urls gone through redirect() being used…
CVE-2001-1471 — CVSS 8.8 (high): prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which…
CVE-2025-70810 — CVSS 8.8 (high): Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function…
CVE-2019-16993 — CVSS 8.8 (high): In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration…
CVE-2026-29199 — CVSS 8.1 (high): phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is…
CVE-2007-4653 — CVSS 7.5 (high): SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and earlier allows remote attackers to execute…
CVE-2003-1530 — CVSS 7.5 (high): SQL injection vulnerability in privmsg.php in phpBB 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the…
CVE-2019-16108 — CVSS 7.5 (high): phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode.
CVE-2017-1000419 — CVSS 7.5 (high): phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar function resulting allowing an attacker to perform port scanning, requesting…
CVE-2010-1630 — CVSS 7.5 (high): Unspecified vulnerability in posting.php in phpBB before 3.0.5 has unknown impact and attack vectors related to the use of a "forum id" in…
CVE-2006-7168 — CVSS 7.5 (high): PHP remote file inclusion vulnerability in includes/not_mem.php in the Add Name module for PHP allows remote attackers to execute arbitrary…
CVE-2007-5688 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in directory.php in the Multi-Forums (aka Multi Host Forum Pro) module 1.3.3, for phpBB and Invision…
CVE-2018-19274 — CVSS 7.2 (high): Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing…
CVE-2015-1432 — CVSS 6.8 (medium): The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which…
CVE-2007-5173 — CVSS 6.8 (medium): PHP remote file inclusion vulnerability in includes/openid/Auth/OpenID/BBStore.php in phpBB Openid 0.2.0 allows remote attackers to execute…
CVE-2008-7143 — CVSS 6.8 (medium): phpBB 2.0.23 includes the session ID in a request to modcp.php when the moderator or administrator closes a thread, which allows remote…
CVE-2019-13376 — CVSS 6.5 (medium): phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The…
CVE-2015-3880 — CVSS 6.1 (medium): Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to…
CVE-2020-8226 — CVSS 5.8 (medium): A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF.
CVE-2019-11767 — CVSS 5.8 (medium): Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files and services on the local network of…
CVE-2006-5191 — CVSS 5.1 (medium): PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0 and…
CVE-2008-6507 — CVSS 5.0 (medium): Unspecified vulnerability in phpBB before 3.0.4 allows attackers to obtain sensitive information via unknown vectors related to the lack of…
CVE-2008-4125 — CVSS 5.0 (medium): The search function in phpBB 2.x provides a search_id value that leaks the state of PHP's PRNG, which allows remote attackers to obtain…
CVE-2006-2220 — CVSS 5.0 (medium): phpBB 2.0.20 does not properly verify user-specified input variables used as limits to SQL queries, which allows remote attackers to obtain…
CVE-2008-6506 — CVSS 5.0 (medium): Unspecified vulnerability in phpBB before 3.0.4 allows attackers to bypass intended access restrictions and activate de-activated accounts…
CVE-2002-2346 — CVSS 5.0 (medium): phpBB 2.0 through 2.0.3 generates names for uploaded avatar files with the hex-encoded IP address of the client system, which allows remote…
CVE-2002-2255 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in search.php in phpBB 2.0.3 and possibly earlier versions allows remote attackers to inject…
CVE-2010-1627 — CVSS 4.3 (medium): feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check permissions for feeds, which allows remote attackers to bypass intended…
CVE-2008-0471 — CVSS 4.3 (medium): Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages (PM) as…
CVE-2015-1431 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrary web…
CVE-2025-70811 — CVSS 4.3 (medium): Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control…
CVE-2023-5917 — CVSS 2.4 (low): A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the…