Back to KEVs

CVE-2025-48828

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting...

Basic Information

CVE State: PUBLISHED
Reserved Date: May 27, 2025
Published Date: May 27, 2025
Last Updated: May 27, 2025
Vendor: vBulletin
Product: vBulletin
Description: Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
Tags

CVSS Scores

CVSS v3.1

9.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score: 0.04% (Percentile: 11.76%) as of 2025-05-29

SSVC Information

Exploitation: poc
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2025-05-26 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2025-05-23 00:00:00 UTC) Source

References

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce https://kevintel.com/CVE-2025-48828

Known Exploited Vulnerability Information

Source	Added Date
KEVIntel	2025-05-27 00:00:00 UTC

Timeline

Proof of Concept Exploit Available

May 23, 2025
CVE ID Reserved

May 27, 2025
CVE Published to Public

May 27, 2025
Added to KEVIntel

May 27, 2025