Description
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.
Published: 2026-04-09
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Patch
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in phpBB 3.3.15’s Admin Control Panel icon‑management interface permits a local attacker, who has already authenticated with sufficient privileges, to inject and execute arbitrary code. The vulnerability stems from missing or improperly validated CSRF tokens, allowing the attacker to submit crafted requests that the admin area accepts. The consequence is full control over the application, potentially compromising the underlying operating system and data. This flaw aligns with CWE‑352 for CSRF and CWE‑94 for improper code generation.

Affected Systems

Only phpBB 3.3.15 is known to contain this issue. Users running that specific release and accessing the icon‑management feature should verify whether the vulnerability is present. No other vendors or product variants are known to be affected.

Risk and Exploitability

The vulnerability cannot be exploited from the external network; it requires a user with local or administrative credentials. While no EPSS score is reported and the flaw is not listed in the CISA KEV catalog, the ability to execute arbitrary code makes the risk significant for affected installations. Administrators should assume that a compromised local account could lead to a full takeover, and therefore prompt remediation is advised.

Generated by OpenCVE AI on April 9, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply phpBB 3.3.16 or newer to resolve the CSRF protection flaw.
  • If an upgrade is not immediately possible, disable or restrict access to the Admin Control Panel icon‑management interface.
  • Implement strict access controls and limit the number of accounts with administrative privileges.
  • Monitor server logs for unusual icon uploads or configuration changes and investigate promptly.

Generated by OpenCVE AI on April 9, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title CSRF in phpBB 3.3.15 Admin Icon Management Enables Local Code Execution
Weaknesses CWE-352
CWE-94

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ariefibis
Ariefibis phpbb3
Vendors & Products Ariefibis
Ariefibis phpbb3

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.
References

Subscriptions

Ariefibis Phpbb3
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T14:06:56.837Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70811

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T15:16:09.163

Modified: 2026-04-09T15:16:09.163

Link: CVE-2025-70811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:33:14Z

Weaknesses