vBulletin 5.0.0-6.0.3 - Authentication Bypass

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 contain an authentication bypass caused by unauthenticated access to protected API controllers on PHP 8.1 or later, letting unauthenticated attackers invoke protected methods remotely.Starting from PHP 8.1, due to an internal adjustment to...

vBulletin replaceAdTemplate - Remote Code Execution

vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution RCE vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted...

vBulletin - Open Redirect

vBulletin 3.x.x and 4.2.x through 4.2.5 contains an open redirect vulnerability via the redirector.php URL parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2018-6200 info: name:...

vBulletin <= 4.2.3 - SQL Injection

vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database. id: CVE-2016-6195 info: name:...

vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verifyserialized checks that a value is serialized by calling unserialize and then checking for errors. id: CVE-2023-25135...

vBulletin SQL Injection

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control that permits SQL injection attacks. id: CVE-2020-12720 info: name: vBulletin SQL Injection author: pdteam severity: critical description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and...

CVE-2026-9357

A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended...

vBulletin 5.0.0-5.5.4 - Remote Command Execution

vBulletin 5.0.0 through 5.5.4 is susceptible to a remote command execution vulnerability via the widgetConfig parameter in an ajax/render/widgetphp routestring request. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system...

CVE-2026-9357

A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended...

EUVD-2026-31572

A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended...

CVE-2026-9357

Technical details are not publicly available in the provided documents. The Connected docs only reiterate a login-related XSS in vBulletin 6.x without specifics on vulnerable components, versions, or remediation. Monitor for updates.

CVE-2026-9357

A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended...

CVE-2026-9357 vBulletin Login cross site scripting

A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended...

CVE-2026-9357 vBulletin Login cross site scripting

A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended...

PT-2026-42915

A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended...

vBulletin 代码注入漏洞

vBulletin is an open-source web forum software based on PHP and MySQL developed by vBulletin Inc. Version vBulletin 6.x has a code injection vulnerability, which stems from improper operation of the Login component and may lead to cross-site scripting attacks...

vBulletin 5.5.4 - 5.6.2- Remote Command Execution

vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widgettabbedcontainertabpanel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. id: CVE-2020-17496 info: name: vBulletin 5.5.4 - 5.6.2- Remote Comman...

CVE-2018-12580

library/DBTech/Security/Action/Sessions.php in DragonByte vBSecurity 3.x through 3.3.0 for vBulletin 3 and vBulletin 4 allows self-XSS via $session'useragent' in the "Login Sessions" feature...

CVE-2018-6200

vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter...

CVE-2003-1031

Cross-site scripting XSS vulnerability in register.php for vBulletin 3.0 Beta 2 allows remote attackers to inject arbitrary HTML or web script via optional fields such as 1 "Interests-Hobbies", 2 "Biography", or 3 "Occupation."...