CVE-2026-25923
Awaiting Analysis Awaiting Analysis - Queue
Phar Deserialization in My Little Forum Enables Arbitrary File Deletion

Publication date: 2026-02-09

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2026-02-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mylittleforum my_little_forum to 20260208.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in my little forum, a PHP and MySQL based internet forum, prior to version 20260208.1. The application does not properly filter the phar:// protocol in URL validation. This allows attackers to upload a malicious Phar Polyglot file disguised as a JPEG image via the image upload feature. When the forum processes BBCode [img] tags, it triggers Phar deserialization, which can be exploited through Smarty 4.1.0's POP chain to achieve arbitrary file deletion.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to delete arbitrary files on the server hosting the forum. Since the attacker can upload a malicious file disguised as an image and trigger its deserialization, they can exploit the system to remove files without authorization, potentially leading to data loss, service disruption, or further compromise of the server.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update my little forum to version 20260208.1 or later, where the issue with filtering the phar:// protocol in URL validation has been fixed.

Until the update is applied, consider disabling or restricting the image upload feature to prevent attackers from uploading malicious Phar Polyglot files disguised as JPEGs.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart