← back
CVE-2025-48828

CVE-2025-48828

CVSS 9 CRITICALEPSS 48.4%CWE-424
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
vBulletin · vBulletin
public PoCs found2
githubgithub.com/ill-deed/vBulletin-CVE-2025-48828-Multi-target0cve_referenceblog.kevintel.com/vbulletin-replaceadtemplate-kev/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rcehttps://kevintel.com/CVE-2025-48828