Remote Code Execution Vulnerability in vBulletin Template Engine
CVE-2025-48828

8.1HIGH

Key Information:

Vendor: Vbulletin
Status: Vbulletin
Vendor: CVE Published:; 27 May 2025

Badges

🟣 EPSS 54%📰 News Worthy

What is CVE-2025-48828?

Certain versions of vBulletin are vulnerable to a remote code execution flaw that allows attackers to exploit template conditionals within the template engine. By utilizing a specific syntax for PHP function invocation, such as "var_dump"("test"), attackers can circumvent existing security measures and execute arbitrary PHP code on the server. This vulnerability poses significant risks to the integrity and security of affected vBulletin installations.

Affected Version(s)

vBulletin 6.0.3

News Articles

Security Affairs

CVE-2025-48827 CVE-2025-48828

Two flaws in vBulletin forum software are under attack

Experts found two vulnerabilities in the vBulletin forum software, one of which is already being exploited in real-world attacks.

References

https://karmainsecurity.com/dont-call-that-protected-meth...

https://kevintel.com/CVE-2025-48828

EPSS Score

54% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by Security Affairs
Jun 1, 2025
Vulnerability published
May 27, 2025
Vulnerability Reserved
May 27, 2025

Vbulletin

Badges

What is CVE-2025-48828?

Affected Version(s)

News Articles

Two flaws in vBulletin forum software are under attack

References

EPSS Score

CVSS V3.1

Timeline