Search

Find a vulnerability

Search criteria

    4 vulnerabilities by My-Little-Forum

    CVE-2026-25923 (GCVE-0-2026-25923)

    Vulnerability from nvd – Published: 2026-02-09 21:56 – Updated: 2026-02-11 21:20
    VLAI
    Title
    Phar Deserialization leading to Arbitrary File Deletion in my little forum
    Summary
    my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    My-Little-Forum mylittleforum Affected: < 20260208.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25923",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-11T21:20:19.689679Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-11T21:20:25.222Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "mylittleforum",
              "vendor": "My-Little-Forum",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 20260208.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-09T21:56:02.862Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fw"
            },
            {
              "name": "https://github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1"
            }
          ],
          "source": {
            "advisory": "GHSA-wr9p-3c3g-78fw",
            "discovery": "UNKNOWN"
          },
          "title": "Phar Deserialization leading to Arbitrary File Deletion in my little forum"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25923",
        "datePublished": "2026-02-09T21:56:02.862Z",
        "dateReserved": "2026-02-09T16:22:17.785Z",
        "dateUpdated": "2026-02-11T21:20:25.222Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62606 (GCVE-0-2025-62606)

    Vulnerability from nvd – Published: 2025-10-22 15:11 – Updated: 2025-10-22 17:21
    VLAI
    Title
    my little forum vulnerable to SQL Injection in Bookmark Reordering via bookmarks parameter
    Summary
    my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to version 2.5.12, an authenticated SQL injection vulnerability in the bookmark reordering feature allows any logged-in user to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 2.5.12.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62606",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T17:21:32.279946Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T17:21:38.838Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-m8hj-c6gr-6h6v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "mylittleforum",
              "vendor": "My-Little-Forum",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.5.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to version 2.5.12, an authenticated SQL injection vulnerability in the bookmark reordering feature allows any logged-in user to execute arbitrary SQL commands. This can lead to a full compromise of the application\u0027s database, including reading, modifying, or deleting all data. This issue has been patched in version 2.5.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T15:11:16.114Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-m8hj-c6gr-6h6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-m8hj-c6gr-6h6v"
            },
            {
              "name": "https://github.com/My-Little-Forum/mylittleforum/releases/tag/20251021.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/My-Little-Forum/mylittleforum/releases/tag/20251021.1"
            }
          ],
          "source": {
            "advisory": "GHSA-m8hj-c6gr-6h6v",
            "discovery": "UNKNOWN"
          },
          "title": "my little forum vulnerable to SQL Injection in Bookmark Reordering via bookmarks parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62606",
        "datePublished": "2025-10-22T15:11:16.114Z",
        "dateReserved": "2025-10-16T19:24:37.268Z",
        "dateUpdated": "2025-10-22T17:21:38.838Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-25923 (GCVE-0-2026-25923)

    Vulnerability from cvelistv5 – Published: 2026-02-09 21:56 – Updated: 2026-02-11 21:20
    VLAI
    Title
    Phar Deserialization leading to Arbitrary File Deletion in my little forum
    Summary
    my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    My-Little-Forum mylittleforum Affected: < 20260208.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25923",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-11T21:20:19.689679Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-11T21:20:25.222Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "mylittleforum",
              "vendor": "My-Little-Forum",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 20260208.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-09T21:56:02.862Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fw"
            },
            {
              "name": "https://github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1"
            }
          ],
          "source": {
            "advisory": "GHSA-wr9p-3c3g-78fw",
            "discovery": "UNKNOWN"
          },
          "title": "Phar Deserialization leading to Arbitrary File Deletion in my little forum"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25923",
        "datePublished": "2026-02-09T21:56:02.862Z",
        "dateReserved": "2026-02-09T16:22:17.785Z",
        "dateUpdated": "2026-02-11T21:20:25.222Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62606 (GCVE-0-2025-62606)

    Vulnerability from cvelistv5 – Published: 2025-10-22 15:11 – Updated: 2025-10-22 17:21
    VLAI
    Title
    my little forum vulnerable to SQL Injection in Bookmark Reordering via bookmarks parameter
    Summary
    my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to version 2.5.12, an authenticated SQL injection vulnerability in the bookmark reordering feature allows any logged-in user to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 2.5.12.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62606",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T17:21:32.279946Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T17:21:38.838Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-m8hj-c6gr-6h6v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "mylittleforum",
              "vendor": "My-Little-Forum",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.5.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to version 2.5.12, an authenticated SQL injection vulnerability in the bookmark reordering feature allows any logged-in user to execute arbitrary SQL commands. This can lead to a full compromise of the application\u0027s database, including reading, modifying, or deleting all data. This issue has been patched in version 2.5.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T15:11:16.114Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-m8hj-c6gr-6h6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-m8hj-c6gr-6h6v"
            },
            {
              "name": "https://github.com/My-Little-Forum/mylittleforum/releases/tag/20251021.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/My-Little-Forum/mylittleforum/releases/tag/20251021.1"
            }
          ],
          "source": {
            "advisory": "GHSA-m8hj-c6gr-6h6v",
            "discovery": "UNKNOWN"
          },
          "title": "my little forum vulnerable to SQL Injection in Bookmark Reordering via bookmarks parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62606",
        "datePublished": "2025-10-22T15:11:16.114Z",
        "dateReserved": "2025-10-16T19:24:37.268Z",
        "dateUpdated": "2025-10-22T17:21:38.838Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }