The vulnerability arises from an authorization bypass in the pre‑handler of YAF.NET’s administrative pages. Before the ResultFilterAttribute can redirect the user, the OnPost handler performs its logic without checking the caller’s privileges. On the /Admin/RunSql page, this allows a low‑privileged user to post an arbitrary SQL statement via the Editor field, which is passed directly to "IDbAccess.RunSql". The result is blind SQL execution that can read, modify, or delete any data in the database. This flaw maps to CWE‑841 (Improper Restriction of Operations within the Bounds of a User) and CWE‑89 (SQL Injection).

The affected software is YAF.NET (YetAnotherForum.NET), a C# ASP.NET forum application. Versions prior to 4.0.5 contain the flaw; the issue was fixed in 4.0.5. Therefore any deployment running 4.0.4 or earlier is vulnerable.

The CVSS score of 8.8 classifies this as high severity, indicating significant impact. Although the EPSS score is not available, the existence of a functional exploit path—submitting an arbitrary SQL payload to /Admin/RunSql via a web request—gives attackers a realistic chance to compromise the database. The vulnerability is not yet listed in CISA’s KEV catalog, but its potential for data exfiltration or modification makes it a priority for remediation. Attackers only need authenticated access with low privileges, and the authorization bypass removes the normal admin‑level checks, making exploitation straightforward.