{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70811", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T14:06:56.837Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-09T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-09T14:06:56.837Z"}, "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/ariefibis"}, {"url": "https://www.linkedin.com/in/mohammed-a-6a2548112/"}, {"url": "https://github.com/ariefibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality."}], "id": "CVE-2025-70811", "lastModified": "2026-04-09T15:16:09.163", "metrics": {}, "published": "2026-04-09T15:16:09.163", "references": [{"source": "cve@mitre.org", "url": "https://github.com/ariefibis"}, {"source": "cve@mitre.org", "url": "https://github.com/ariefibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822"}, {"source": "cve@mitre.org", "url": "https://www.linkedin.com/in/mohammed-a-6a2548112/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.3.15"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "phpbb3", "vendor": "ariefibis"}], "analysis": {"en": {"generated_at": "2026-04-09T16:52:36.462936+00:00", "value": {"mitigation_remediation": ["Apply phpBB 3.3.16 or newer to resolve the CSRF protection flaw.", "If an upgrade is not immediately possible, disable or restrict access to the Admin Control Panel icon\u2011management interface.", "Implement strict access controls and limit the number of accounts with administrative privileges.", "Monitor server logs for unusual icon uploads or configuration changes and investigate promptly."], "summary": {"action": "Patch", "impact": "Local Code Execution"}, "threat_synthesis": {"affected_systems": "Only phpBB 3.3.15 is known to contain this issue. Users running that specific release and accessing the icon\u2011management feature should verify whether the vulnerability is present. No other vendors or product variants are known to be affected.", "description_and_impact": "A Cross\u2011Site Request Forgery flaw in phpBB 3.3.15\u2019s Admin Control Panel icon\u2011management interface permits a local attacker, who has already authenticated with sufficient privileges, to inject and execute arbitrary code. The vulnerability stems from missing or improperly validated CSRF tokens, allowing the attacker to submit crafted requests that the admin area accepts. The consequence is full control over the application, potentially compromising the underlying operating system and data. This flaw aligns with CWE\u2011352 for CSRF and CWE\u201194 for improper code generation.", "risk_and_exploitability": "The vulnerability cannot be exploited from the external network; it requires a user with local or administrative credentials. While no EPSS score is reported and the flaw is not listed in the CISA KEV catalog, the ability to execute arbitrary code makes the risk significant for affected installations. Administrators should assume that a compromised local account could lead to a full takeover, and therefore prompt remediation is advised."}}}}, "created": "2026-04-10T08:54:05.065308+00:00", "title": "CSRF in phpBB 3.3.15 Admin Icon Management Enables Local Code Execution", "updated": "2026-04-10T09:33:14.654691+00:00", "vendors": ["ariefibis", "ariefibis$PRODUCT$phpbb3"], "weaknesses": ["CWE-352", "CWE-94"]}