CVE-2025-48828

critical

Description

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

References

https://kevintel.com/CVE-2025-48828

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/

Details

Source: Mitre, NVD

Published: 2025-05-27

Updated: 2025-05-28

Risk Information

CVSS v2

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00043