Description
A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended redistribution of exploit details to prevent simplified exploitation. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-24
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was identified in the Login component of vBulletin 6.x that allows an attacker to inject and execute malicious script code through a manipulated input. The vulnerability is a reflected cross‑site scripting (XSS) exploit, which can be triggered remotely without authentication. Successful exploitation would enable an attacker to run arbitrary client‑side code in the context of a victim’s browser session, potentially compromising user credentials, session cookies, and the integrity of data viewed by that user.

Affected Systems

The affected product is vBulletin 6.x. No specific sub‑versions are listed in the advisory, but any instance of vBulletin 6.x that has not applied a patch or update is considered vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can launch the exploit remotely by manipulating input parameters to the Login page. Since the vendor has not yet responded with a patch, users rely on mitigations or updates from later releases to reduce the attack surface.

Generated by OpenCVE AI on May 24, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest vBulletin release that contains the XSS fix
  • Implement a strict Content Security Policy to constrain executable scripts
  • Sanitize and validate all input fields in the Login component before processing

Generated by OpenCVE AI on May 24, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended redistribution of exploit details to prevent simplified exploitation. The vendor was contacted early about this disclosure but did not respond in any way.
Title vBulletin Login cross site scripting
First Time appeared Vbulletin
Vbulletin vbulletin
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
Vendors & Products Vbulletin
Vbulletin vbulletin
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vbulletin Vbulletin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T05:15:09.701Z

Reserved: 2026-05-23T09:39:47.115Z

Link: CVE-2026-9357

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T08:00:10Z

Weaknesses