CVE-2026-25923 HIGH

CVE-2026-25923: Phar Deserialization leading to Arbitrary File Deletion in my little forum

Vendor My-Little-Forum
Product mylittleforum
Weakness CWE-434 · Unrestricted file upload
Published February 9, 2026
Last update February 11, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
February 11, 2026 Record updated