CVE-2023-53894 CRITICAL

CVE-2023-53894: phpfm 1.7.9 Authentication Bypass via Type Juggling Vulnerability

Vendor Dulldusk
Product phpfm
Weakness CWE-1390
Published December 16, 2025
Last update April 7, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.

Key dates

02Disclosure timeline

December 16, 2025 CVE published
April 7, 2026 Record updated