← back
CVE-2025-48827

CVE-2025-48827

CVSS 10 CRITICALEPSS 69.6%CWE-424
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
vBulletin · vBulletin
public PoCs found4
githubgithub.com/0xgh057r3c0n/CVE-2025-4882711githubgithub.com/SystemVll/CVE-2025-488271githubgithub.com/wiseep/CVE-2025-488270cve_referenceblog.kevintel.com/vbulletin-replaceadtemplate-kev/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rcehttps://kevintel.com/CVE-2025-48827