CVE-2025-48827 CRITICAL

CVE-2025-48827

Vendor Vbulletin
Product vBulletin
Weakness CWE-424
Published May 27, 2025
Last update May 27, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

Key dates

02Disclosure timeline

May 27, 2025 CVE published
May 27, 2025 Record updated