ByteOS Network

My-Little-Forum

Source -

CNA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-25923

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-8.7||HIGH

EPSS-0.02% / 6.20%

7 Day CHG~0.00%

Published-09 Feb, 2026 | 21:56

Updated-11 Feb, 2026 | 21:20

Phar Deserialization leading to Arbitrary File Deletion in my little forum

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.

Vendor-My-Little-Forum

Product-mylittleforum

CWE ID-CWE-434

Unrestricted Upload of File with Dangerous Type

CWE ID-CWE-502

Deserialization of Untrusted Data

CVE-2025-62606

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-8.8||HIGH

EPSS-0.06% / 18.20%

7 Day CHG~0.00%

Published-22 Oct, 2025 | 15:11

Updated-22 Oct, 2025 | 21:12

my little forum vulnerable to SQL Injection in Bookmark Reordering via bookmarks parameter

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to version 2.5.12, an authenticated SQL injection vulnerability in the bookmark reordering feature allows any logged-in user to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 2.5.12.

Vendor-My-Little-Forum

Product-mylittleforum

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')