vbulletin 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk cross-site scripting and vendor risk sql injection などに関し、一部は vendor impact unexpected behavior を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-46171 | vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum. | [email protected] | 5.4 | 0.25% | 2025-07-23 | 2026-06-17 |
| CVE-2025-48828 | Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025. | [email protected] | 9.0 | 48.36% | 2025-05-27 | 2026-06-17 |
| CVE-2025-48827 | vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025. | [email protected] | 10.0 | 69.65% | 2025-05-27 | 2026-06-17 |
| CVE-2023-39777 | A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. | [email protected] | 5.4 | 0.39% | 2023-09-15 | 2026-06-17 |
| CVE-2023-25135 | vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. | [email protected] | 9.8 | 23.93% | 2023-02-03 | 2026-06-17 |
| CVE-2020-7373 | vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability. | [email protected] | 9.8 | 46.03% | 2020-10-30 | 2026-06-16 |
| CVE-2020-25124 | The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. | [email protected] | 4.8 | 0.55% | 2020-09-03 | 2026-06-16 |
| CVE-2020-25123 | The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager. | [email protected] | 4.8 | 0.55% | 2020-09-03 | 2026-06-16 |
| CVE-2020-25122 | The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager. | [email protected] | 4.8 | 0.55% | 2020-09-03 | 2026-06-16 |
| CVE-2020-25121 | The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options. | [email protected] | 4.8 | 0.67% | 2020-09-03 | 2026-06-16 |
| CVE-2020-25120 | The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI. | [email protected] | 4.8 | 0.55% | 2020-09-03 | 2026-06-16 |
| CVE-2020-25119 | The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual. | [email protected] | 4.8 | 0.66% | 2020-09-03 | 2026-06-16 |
| CVE-2020-25118 | The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager. | [email protected] | 4.8 | 0.55% | 2020-09-03 | 2026-06-16 |
| CVE-2020-25117 | The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager. | [email protected] | 4.8 | 0.55% | 2020-09-03 | 2026-06-16 |
| CVE-2020-25116 | The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager. | [email protected] | 4.8 | 0.55% | 2020-09-03 | 2026-06-16 |
| CVE-2020-25115 | The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager. | [email protected] | 4.8 | 0.55% | 2020-09-03 | 2026-06-16 |
| CVE-2020-17496 KEV | vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. | [email protected] | 9.8 | 87.74% | 2020-08-12 | 2026-06-16 |
| CVE-2020-12720 | vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. | [email protected] | 9.8 | 88.95% | 2020-05-07 | 2026-06-16 |
| CVE-2019-17271 | vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. | [email protected] | 4.9 | 1.45% | 2019-10-08 | 2026-06-16 |
| CVE-2019-17132 | vBulletin through 5.5.4 mishandles custom avatars. | [email protected] | 9.8 | 11.78% | 2019-10-04 | 2026-06-16 |