Description
my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.
Published: 2026-02-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Apply Patch
AI Analysis

Impact

A flaw in My-Little-Forum’s image upload validation permits the PHP archive protocol to reach the BBCode [img] tag processor. By uploading a malicious Phar Polyglot file that masquerades as a JPEG, an attacker can trigger the Smarty templating engine’s deserialization routine and exploit a known POP chain to delete files owned by the application. This results in the loss of critical data or configuration files and can cripple forum availability while potentially facilitating further compromise. The weakness is identified as both unsafe deserialization (CWE-502) and hazardous file deletion (CWE-434).

Affected Systems

Versions of My-Little-Forum released before 20260208.1 are affected. All clients running the application’s image upload and BBCode parsing components prior to this patch are vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS of 8.7, indicating high severity. The EPSS score is less than 1%, suggesting that exploitation attacks are rare or difficult to execute. The issue is not currently listed in the CISA Known Exploited Vulnerability catalog. The likely attack vector is through the publicly accessible image upload endpoint; an attacker can craft an upload with a phar:// URL embedded in an [img] tag, causing the server to delete arbitrary files the application can reach. Successful exploitation would undermine availability and could be leveraged for additional attacks on the system.

Generated by OpenCVE AI on April 17, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MyLittleForum to version 20260208.1 or newer.
  • Configure the web server or PHP to reject the ‘phar://’ protocol in URLs, for example by filtering input paths or adjusting wrapper settings.
  • Disable or limit BBCode [img] tag processing until the fix is applied, or closely monitor upload content for malformed or unexpected files and block suspicious submissions.

Generated by OpenCVE AI on April 17, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mylittleforum
Mylittleforum my Little Forum
CPEs cpe:2.3:a:mylittleforum:my_little_forum:*:*:*:*:*:*:*:*
Vendors & Products Mylittleforum
Mylittleforum my Little Forum
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared My Little Forum
My Little Forum my Little Forum
Vendors & Products My Little Forum
My Little Forum my Little Forum

Mon, 09 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.
Title Phar Deserialization leading to Arbitrary File Deletion in my little forum
Weaknesses CWE-434
CWE-502
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

My Little Forum My Little Forum
Mylittleforum My Little Forum
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T21:20:25.222Z

Reserved: 2026-02-09T16:22:17.785Z

Link: CVE-2026-25923

cve-icon Vulnrichment

Updated: 2026-02-11T21:20:22.850Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T22:16:04.460

Modified: 2026-03-17T20:30:28.337

Link: CVE-2026-25923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses