Description
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism
Published: 2026-04-09
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution via CSRF
Action: Apply Patch
AI Analysis

Impact

A flaw in the login function of PhpBB phbb3 v3.3.15 allows a local attacker to send a crafted web request that is treated as a legitimate login attempt. Because the application does not validate a CSRF token or properly authenticate the request, the attacker can trigger the execution of arbitrary code on the host that runs the forum software. This is a classic cross‑site request forgery weakness combined with an ability to execute code on the server, placing the application and underlying system at significant risk.

Affected Systems

The vulnerability impacts only installations of PhpBB phbb3 at version 3.3.15. No other product variants or vendor versions were identified. Any instance running this exact release without applying a fix is considered vulnerable.

Risk and Exploitability

The vulnerability requires that the attacker already have local access to the machine running the forum. A remote attacker would first need to gain local user privileges or compromise a process that can issue HTTP requests to the login page. No public exploits have been observed and the issue is not listed in any known exploited vulnerability catalog, which suggests a limited current threat surface. Nonetheless, the consequences—complete compromise of the host—make mitigation a top priority whenever local access is possible.

Generated by OpenCVE AI on April 9, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether your deployment is running PhpBB phbb3 v3.3.15 and document its version.
  • Apply the vendor‑issued patch or upgrade to a newer, non‑vulnerable release as soon as it is available.
  • If a patch is not yet released, restrict access to the login page to trusted IP addresses or authenticated users only.
  • Mandate a CSRF token for login attempts to prevent forged requests.
  • Monitor authentication logs for abnormal login activity that may indicate exploitation attempts.

Generated by OpenCVE AI on April 9, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title CSRF Exploit in PhpBB phbb3 v3.3.15 Enables Local Code Execution
Weaknesses CWE-352
CWE-94

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ariefibis
Ariefibis phpbb3
Vendors & Products Ariefibis
Ariefibis phpbb3

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism
References

Subscriptions

Ariefibis Phpbb3
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T14:24:30.432Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70810

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T15:16:09.037

Modified: 2026-04-09T15:16:09.037

Link: CVE-2025-70810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:33:15Z

Weaknesses