Description
uBB.threads is vulnerable to a Cross-Site Request Forgery (CSRF) due to a lack of protective mechanisms. This allows an attacker to trick an authenticated user into executing unintended actions.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
Published: 2026-06-18
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in UBB.threads is a classic Cross‑Site Request Forgery (CSRF) flaw (CWE-352) arising from the absence of protective mechanisms. An attacker can lure a logged‑in user into executing an action without the user’s intent, leading to unauthorized changes or actions executed with the victim’s privileges.

Affected Systems

The flaw has been confirmed in UBB Systems’ UBB.threads version 7.7.5, and it may also be present in other, earlier or later releases.

Risk and Exploitability

The CVSS score of 8.6 classifies this as high severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack path requires an attacker to persuade a legitimate user to access a crafted link or submit a malicious request, which then triggers an action on the target system under the user’s authenticated session. Without remedial code, affected deployments are vulnerable to potentially arbitrary operations performed in the users’ names.

Generated by OpenCVE AI on June 18, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or upgrade to a version that includes a CSRF mitigation when it becomes available
  • Deploy a web application firewall or proxy that detects and blocks forged cross‑site requests to protect against illicit actions
  • Restrict the scope of authenticated user permissions and enforce principle of least privilege to minimize potential damage if CSRF succeeds

Generated by OpenCVE AI on June 18, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ubb Systems
Ubb Systems ubb.threads
Vendors & Products Ubb Systems
Ubb Systems ubb.threads

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description uBB.threads is vulnerable to a Cross-Site Request Forgery (CSRF) due to a lack of protective mechanisms. This allows an attacker to trick an authenticated user into executing unintended actions. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
Title Cross-Site Request Forgery in UBB.threads
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Subscriptions

Ubb Systems Ubb.threads
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-18T13:30:52.695Z

Reserved: 2026-06-12T11:03:23.916Z

Link: CVE-2026-54220

cve-icon Vulnrichment

Updated: 2026-06-18T13:30:43.609Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:56:14Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)