Remote Code Execution Vulnerability in vBulletin Template Engine
CVE-2025-48828

8.1HIGH

Key Information:

Vendor

Vbulletin

Status
Vbulletin
Vendor
CVE Published:
27 May 2025

Badges

🟣 EPSS 73%πŸ“° News Worthy

What is CVE-2025-48828?

Certain versions of vBulletin are vulnerable to a remote code execution flaw that allows attackers to exploit template conditionals within the template engine. By utilizing a specific syntax for PHP function invocation, such as "var_dump"("test"), attackers can circumvent existing security measures and execute arbitrary PHP code on the server. This vulnerability poses significant risks to the integrity and security of affected vBulletin installations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vBulletin 6.0.3

News Articles

favicon imageSecurity Affairs

Two flaws in vBulletin forum software are under attack

Experts found two vulnerabilities in the vBulletin forum software, one of which is already being exploited in real-world attacks.

References

https://karmainsecurity.com/dont-call-that-protected-meth...
https://kevintel.com/CVE-2025-48828

EPSS Score

73% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“°

    First article discovered by Security Affairs

  • Vulnerability published

  • Vulnerability Reserved

JSON
.