CVE-2025-48828
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2025
Last modified:
25/06/2025
Description
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
Impact
Base Score 3.x
9.00
Severity 3.x
CRITICAL
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:vbulletin:vbulletin:6.0.3:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page