Description
SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet.
Published: 2026-06-12
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious SQL commands into the phpBB profile field migration process, resulting in arbitrary SQL execution. This flaw arises from inadequate sanitization of user‑supplied profile data during migration. Successful exploitation could compromise database integrity, disclose sensitive data, or modify forum content.

Affected Systems

Forums running phpBB, specifically versions updated from pre‑3.3.8 releases and not yet patched to 3.3.11 or newer, are affected. The issue is tied to the migration feature that transfers legacy profile fields into the new schema.

Risk and Exploitability

A CVSS score of 7.1 indicates high severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is a remote web request that triggers the migration routine, allowing an unauthenticated or low‑privileged user to supply crafted profile data and execute arbitrary SQL statements.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the forum software to phpBB 3.3.11 or later to apply the vendor patch.
  • If an immediate upgrade is not possible, disable or defer the profile field migration process until the patch is applied.
  • Before any migration, validate and escape all user‑supplied profile data to prevent SQL injection.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in phpBB Profile Field Migration Allowing Arbitrary SQL Execution

Fri, 12 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpbb
Phpbb phpbb
Vendors & Products Phpbb
Phpbb phpbb

Fri, 12 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet.
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 7.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L/CR:H/IR:H/AR:H'}

Subscriptions

Phpbb Phpbb
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-12T02:27:43.557Z

Reserved: 2026-05-22T15:00:09.276Z

Link: CVE-2026-48613

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T04:17:11.327

Modified: 2026-06-12T04:17:11.327

Link: CVE-2026-48613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T05:00:17Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')