CVE-2025-70810 - Vulnerability Details

- Cross‑Site Request Forgery in PhpBB phbb3 Login Enables Local Code Execution

Description

Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism

Published: 2026-04-09

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Cross‑Site Request Forgery flaw exists in the login routine of PhpBB phbb3 version 3.3.15. By submitting a crafted request that mimics a legitimate authentication attempt, an attacker can inject code that the PHP interpreter executes. The flaw maps to the misuse of request validation (CWE‑352). Successful exploitation results in arbitrary code execution with the privileges of the web server process, allowing complete compromise of the affected site.

Affected Systems

The vulnerability affects installations of the PhpBB phbb3 forum software running version 3.3.15. No other product variants or vendors are listed, so any deployment of that specific version is exposed.

Risk and Exploitability

The base CVSS score of 8.8 reflects a high severity level. An EPSS score below 1 % indicates that exploitation is currently rare, and the issue has not appeared in the CISA Known Exploited Vulnerabilities catalog. An attacker who can send crafted requests from a local browsing session or a compromised account can trigger the login route and cause PHP to execute arbitrary code. The requirement for direct engagement with the authentication endpoint means the attack is limited to situations where the attacker can access the login form; however, because the flaw arises from a CSRF condition, it may be feasible from a previously compromised user browser or by using a victim’s session cookie.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:phpbb:phpbb:3.3.15:-:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Ariefibis

Phpbb3

70%

Version	Status	Scheme	Platform
`3.3.15`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PhpBB phbb3 to a patched version that removes the CSRF flaw
If an upgrade is not yet possible, restrict or disable the affected login endpoint or limit access to trusted IPs
Add CSRF tokens or enforce token validation for all authenticated requests
Ensure PHP session cookies are marked secure and HTTPOnly, and enforce strict origin checks
Review the codebase and server logs for evidence of unauthorized code execution
Monitor authentication events and apply intrusion detection alerts for anomalous requests

Generated by OpenCVE AI on April 15, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00069.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30
https://github.com/ariefibis
https://www.linkedin.com/in/mohammed-a-6a2548112/

History

Fri, 17 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Phpbb Phpbb phpbb
CPEs		cpe:2.3:a:phpbb:phpbb:3.3.15:-::::::
Vendors & Products		Phpbb Phpbb phpbb

Wed, 15 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Title		Cross‑Site Request Forgery in PhpBB phbb3 Login Enables Local Code Execution

Wed, 15 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Title	CSRF Exploit in PhpBB phbb3 v3.3.15 Enables Local Code Execution
Weaknesses	CWE-94

Tue, 14 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title		CSRF Exploit in PhpBB phbb3 v3.3.15 Enables Local Code Execution
Weaknesses		CWE-352 CWE-94

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ariefibis Ariefibis phpbb3
Vendors & Products		Ariefibis Ariefibis phpbb3

Thu, 09 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism
References		https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30 https://github.com/ariefibis https://www.linkedin.com/in/mohammed-a-6a2548112/

Subscriptions

Ariefibis Phpbb3

Phpbb Phpbb

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-09T00:00:00.000Z

Updated: 2026-04-14T16:35:39.523Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70810

Vulnrichment

Updated: 2026-04-14T14:43:21.172Z

NVD

Status : Analyzed

Published: 2026-04-09T15:16:09.037

Modified: 2026-04-17T13:06:33.410

Link: CVE-2025-70810

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T19:45:12Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object