Description
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Published: 2026-04-05
Score: n/a
EPSS: n/a
KEV: No
Impact: Remote Code Execution via Arbitrary File Upload
Action: Apply Patch
AI Analysis

Impact

phpBB includes a flaw that permits authenticated users to upload crafted zip files containing serialized PHP objects that are deserialized by the imagick processing component. The deserialization triggers arbitrary code execution, giving the attacker the ability to run commands on the web server. The weakness is rooted in improper handling of file paths and untrusted input, classed under the Path Traversal category. The potential impact is full compromise of the PHP process and the underlying system, affecting confidentiality, integrity, and availability of the affected forum installation.

Affected Systems

The vulnerability affects the phpBB forum software, specifically versions 3.2.3 and earlier. CPE data indicates that all releases of phpBB are susceptible, with the general exception of any fixed revisions released after the advisory.

Risk and Exploitability

The CVSS base score is 8.7, indicating a high severity vulnerability. The EPSS score is under 1%, suggesting a low current exploit probability, and it is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with access to the attachment upload feature, and it depends on the application allowing the use of the phar:// stream wrapper and processing zip archives containing malicious objects. Once the conditions are met, the attacker can achieve remote code execution.

Generated by OpenCVE AI on April 9, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update phpBB to the latest patched version that resolves the phar deserialization issue.
  • If immediate updating is not possible, disable the plupload attachment upload functionality or restrict it to a subset of trusted users until the patch is applied.
  • Configure Imagick to reject unsafe operations or remove the imagick parameter from attachment settings to prevent deserialization of malicious objects.

Generated by OpenCVE AI on April 9, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

No reference.

History

Sun, 19 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
CPEs cpe:2.3:a:phpbb:phpbb:*:*:*:*:*:*:*:*
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Sun, 19 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Title phpBB Arbitrary File Upload via Phar Deserialization
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 19 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Description phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Attackers can upload a crafted zip file containing serialized PHP objects that execute arbitrary code when deserialized through the imagick parameter in attachment settings. This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CPEs cpe:2.3:a:phpbb:phpbb:3.2.3:*:*:*:*:*:*:*
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Thu, 09 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpbb:phpbb:*:*:*:*:*:*:*:*

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Attackers can upload a crafted zip file containing serialized PHP objects that execute arbitrary code when deserialized through the imagick parameter in attachment settings.
Title phpBB Arbitrary File Upload via Phar Deserialization
First Time appeared Phpbb
Phpbb phpbb
Weaknesses CWE-22
CPEs cpe:2.3:a:phpbb:phpbb:3.2.3:*:*:*:*:*:*:*
Vendors & Products Phpbb
Phpbb phpbb
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Phpbb Phpbb
cve-icon MITRE

Status: REJECTED

Assigner: VulnCheck

Published:

Updated: 2026-04-19T12:36:07.579Z

Reserved: 2026-04-05T15:21:44.156Z

Link: CVE-2019-25685

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2026-04-05T21:16:47.140

Modified: 2026-04-19T13:16:33.777

Link: CVE-2019-25685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:18Z

Weaknesses

No weakness.