CVE-2025-48827

CRITICAL Year: 2025
CVSS v3 Score
10.0
Critical
Weakness Type
CWE-424
View all →

Vulnerability Description

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

Related Vulnerabilities

CVE-2024-58136

CRITICAL
CVSS:9.8(Critical)

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

CWE-4242024

CVE-2025-48828

CRITICAL
CVSS:9.0(Critical)

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocat...

CWE-4242025

CVE-2023-20272

HIGH
CVSS:8.8(High)

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to upload malicious files to the web root of the application. This...

CWE-4242023

CVE-2023-5165

HIGH
CVSS:8.8(High)

Docker Desktop before 4.23.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions via the debug shell which remains accessible for a short time window after launching ...

CWE-4242023

CVE-2023-52952

CRITICAL
CVSS:8.5(High)

A vulnerability has been identified in HiMed Cockpit 12 pro (J31032-K2017-H259) (All versions >= V11.5.1 < V11.6.2), HiMed Cockpit 14 pro+ (J31032-K2017-H435) (All versions >= V11.5.1 < V11.6.2), HiMe...

CWE-4242023

CVE-2024-58136

CRITICAL
CVSS:9.8(Critical)

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

CWE-4242024