Description
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.
Published: 2026-04-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Administrator Code Execution via CSRF
Action: Immediate Patch
AI Analysis

Impact

The flaw is a cross‑site request forgery in the icon management section of phpBB 3.3.15. A forged request, crafted by an attacker who is logged in as a local administrator, can include malicious payloads that the server executes, resulting in arbitrary code execution on the application server.

Affected Systems

Only phpBB version 3.3.15 is affected, specifically its Admin Control Panel icon management feature. No other versions or products are listed as vulnerable.

Risk and Exploitability

The vulnerability carries a moderate severity score of 4.3 and is considered very unlikely to be exploited, with an estimated exploitation probability of under 1%. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires the attacker to have administrative credentials and to submit a forged request to the state‑changing icon management endpoint, making the threat surface limited to trusted users with local access.

Generated by OpenCVE AI on April 15, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpBB to a version that contains the CSRF fix for icon management.
  • Restrict the Admin Control Panel to a trusted set of IP addresses or devices to minimize the number of potential attackers.
  • Enforce mandatory CSRF tokens on all state‑changing requests within the admin interface.

Generated by OpenCVE AI on April 15, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpbb
Phpbb phpbb
CPEs cpe:2.3:a:phpbb:phpbb:3.3.15:-:*:*:*:*:*:*
Vendors & Products Phpbb
Phpbb phpbb

Wed, 15 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Title CSRF in phpBB Icon Management Enables Local Administrative Code Execution

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title CSRF in phpBB 3.3.15 Admin Icon Management Enables Local Code Execution
Weaknesses CWE-94

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title CSRF in phpBB 3.3.15 Admin Icon Management Enables Local Code Execution
Weaknesses CWE-352
CWE-94

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ariefibis
Ariefibis phpbb3
Vendors & Products Ariefibis
Ariefibis phpbb3

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.
References

Subscriptions

Ariefibis Phpbb3
Phpbb Phpbb
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T16:35:34.486Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70811

cve-icon Vulnrichment

Updated: 2026-04-14T14:46:02.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T15:16:09.163

Modified: 2026-04-17T13:05:33.037

Link: CVE-2025-70811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses