← volver
CVE-2025-48828

CVE-2025-48828

CVSS 9 CRITICALEPSS 48.4%CWE-424
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Productos afectados
vBulletin · vBulletin
PoCs públicas encontradas2
githubgithub.com/ill-deed/vBulletin-CVE-2025-48828-Multi-target0cve_referenceblog.kevintel.com/vbulletin-replaceadtemplate-kev/no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rcehttps://kevintel.com/CVE-2025-48828