CVE-2016-6195

🗓️ 30 Aug 2016 19:00:00Reported by mitreType

cve🔗 web.nvd.nist.gov👁 123 Views🌐 WEB

SQL injection vulnerability in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.ph

Reporter	Title	Published	Views	Family All 16
0day.today	vBulletin 4.2.3 - SQL Injection Vulnerability	11 Nov 201600:00	–	zdt
Gitee	Exploit for Argument Injection in Phpmailer_Project Phpmailer	5 Dec 201914:28	–	gitee
Circl	CVE-2016-6195	25 Aug 201500:00	–	circl
CNVD	vBulletin forumrunner/includes/moderation.php SQL Injection Vulnerability	31 Aug 201600:00	–	cnvd
Cvelist	CVE-2016-6195	30 Aug 201619:00	–	cvelist
Dsquare	vBulletin 4 ForumRunner SQL Injection	1 Dec 201600:00	–	dsquare
Exploit DB	vBulletin 3.6.0 < 4.2.3 - 'ForumRunner' SQL Injection	25 Aug 201500:00	–	exploitdb
exploitpack	vBulletin 3.6.0 4.2.3 - ForumRunner SQL Injection	25 Aug 201500:00	–	exploitpack
Nuclei	vBulletin <= 4.2.3 - SQL Injection	4 Jun 202603:48	–	nuclei
NVD	CVE-2016-6195	30 Aug 201619:59	–	nvd

NVD

Node

vbulletin vbulletinRange≤4.2.2patch_level_4

vbulletin vbulletinMatch4.2.3

Source	Link
securityfocus	www.securityfocus.com/bid/92687
vbulletin	www.vbulletin.org/forum/showthread.php
enumerated	www.enumerated.wordpress.com/2016/07/11/1/
github	www.github.com/drewlong/vbully

Parameter	Position	Path	Description	CWE
postids	query param	forum_directory/forumrunner/request.php	SQL injection via postids parameter in forumrunner/request.php (CVE-2016-6195)	CWE-89

06 May 2026 22:30Current

9.9High risk

Vulners AI Score9.9

CVSS 27.5

CVSS 39.8

EPSS0.8643

CWE-89