CVE-2025-48828 CRITICAL

CVE-2025-48828

Vendor Vbulletin
Product vBulletin
Weakness CWE-424
Published May 27, 2025
Last update May 27, 2025

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

Key dates

02Disclosure timeline

May 27, 2025 CVE published
May 27, 2025 Record updated