EUVD-2025-28267

🗓️ 27 May 2025 00:00:00Reported by EUVDType

VBulletin on PHP 8.1+ exposes protected API calls to unauthenticated users via /api.php?method=protectedMethod.

Reporter	Title	Published	Views	Family All 17
GithubExploit	Exploit for Improper Protection of Alternate Path in Vbulletin	31 May 202515:23	–	githubexploit
GithubExploit	Exploit for Improper Protection of Alternate Path in Vbulletin	14 Jul 202502:17	–	githubexploit
BDU FSTEC	The vulnerability of the commercial vBulletin web forum, related to improper protection of the alternative path, allows a hacker to execute arbitrary code.	16 Jun 202500:00	–	bdu_fstec
Circl	CVE-2025-48827	27 May 202504:47	–	circl
CNNVD	Internet Brands vBulletin 安全漏洞	27 May 202500:00	–	cnnvd
CVE	CVE-2025-48827	27 May 202500:00	–	cve
Cvelist	CVE-2025-48827	27 May 202500:00	–	cvelist
Nuclei	vBulletin 5.0.0-6.0.3 - Authentication Bypass	8 Jun 202604:09	–	nuclei
Nuclei	vBulletin replaceAdTemplate - Remote Code Execution	8 Jun 202604:09	–	nuclei
NVD	CVE-2025-48827	27 May 202504:15	–	nvd

[
  {
    "enisaIdVendor": [
      {
        "id": "046edac4-9372-3ff5-b289-fb9bf7cf435a",
        "vendor": {
          "name": "vBulletin"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "5d4bc7c1-aaff-3ab6-89d7-37eb79549249",
        "product": {
          "name": "vBulletin"
        },
        "product_version": "6.0.0 ≤6.0.3"
      },
      {
        "id": "806c3fe5-a478-324a-8db0-93fd47b61266",
        "product": {
          "name": "vBulletin"
        },
        "product_version": "5.0.0 ≤5.7.5"
      }
    ]
  }
]

Source	Link
karmainsecurity	www.karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
kevintel	www.kevintel.com/CVE-2025-48827

27 May 2025 18:03Current

6.5Medium risk

Vulners AI Score6.5

CVSS 3.19.8 - 10

EPSS0.77631

SSVC