CVE-2026-48613 PUBLISHED

Assigner: hackerone
Reserved: 22.05.2026 Published: 12.06.2026 Updated: 12.06.2026

SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet.

Metrics

CVSS 3.0

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L/CR:H/IR:H/AR:H
CVSS Score: 7.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.0

Product Status

Vendor	phpBB
Product	phpBB
Versions	Default: unaffected affected from 3.3.8 to 3.3.16 (incl.)

References

https://www.phpbb.com/community/viewtopic.php?t=2672170

Problem Types

CWE-89 SQL Injection CWE