ByteOS Network

phpBB

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-29199

Assigner-HackerOne

View Details

Assigner-HackerOne

CVSS Score-8.1||HIGH

EPSS-0.03% / 8.50%

7 Day CHG~0.00%

Published-04 May, 2026 | 05:42

Updated-07 May, 2026 | 15:53

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

Vendor-phpBB

Product-phpBB

CWE ID-CWE-640

Weak Password Recovery Mechanism for Forgotten Password

CVE-2023-5917

Assigner-VulDB

View Details

Assigner-VulDB

CVSS Score-2.4||LOW

EPSS-0.09% / 24.65%

7 Day CHG~0.00%

Published-02 Nov, 2023 | 10:31

Updated-27 Feb, 2025 | 20:36

phpBB Smiley Pack acp_icons.php main cross site scripting

A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.3.11 is able to address this issue. The patch is named ccf6e6c255d38692d72fcb613b113e6eaa240aac. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-244307.

Vendor-phpbb n/a

Product-phpbb phpBB

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')