CVE-2025-48828

CRITICAL Year: 2025
CVSS v3 Score
9.0
Critical
Weakness Type
CWE-424
View all →

Vulnerability Description

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

Related Vulnerabilities

CVE-2023-20272

HIGH
CVSS:8.8(High)

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to upload malicious files to the web root of the application. This...

CWE-4242023

CVE-2023-5165

HIGH
CVSS:8.8(High)

Docker Desktop before 4.23.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions via the debug shell which remains accessible for a short time window after launching ...

CWE-4242023

CVE-2023-52952

CRITICAL
CVSS:8.5(High)

A vulnerability has been identified in HiMed Cockpit 12 pro (J31032-K2017-H259) (All versions >= V11.5.1 < V11.6.2), HiMed Cockpit 14 pro+ (J31032-K2017-H435) (All versions >= V11.5.1 < V11.6.2), HiMe...

CWE-4242023

CVE-2024-58136

CRITICAL
CVSS:9.8(Critical)

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

CWE-4242024

CVE-2025-48827

CRITICAL
CVSS:10.0(Critical)

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method...

CWE-4242025

CVE-2019-18996

HIGH
CVSS:7.8(High)

Path settings in HMIStudio component of ABB PB610 Panel Builder 600 versions 2.8.0.424 and earlier accept DLLs outside of the program directory, potentially allowing an attacker with access to the loc...

CWE-4242019