CVE-2026-25923
Awaiting Analysis Awaiting Analysis - Queue
Phar Deserialization in My Little Forum Enables Arbitrary File Deletion

Publication date: 2026-02-09

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mylittleforum my_little_forum to 20260208.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in my little forum, a PHP and MySQL based internet forum, prior to version 20260208.1. The application does not properly filter the phar:// protocol in URL validation. This allows attackers to upload a malicious Phar Polyglot file disguised as a JPEG image via the image upload feature. When the forum processes BBCode [img] tags, it triggers Phar deserialization, which can be exploited through Smarty 4.1.0's POP chain to achieve arbitrary file deletion.

Impact Analysis

This vulnerability can allow an attacker to delete arbitrary files on the server hosting the forum. Since the attacker can upload a malicious file disguised as an image and trigger its deserialization, they can exploit the system to remove files without authorization, potentially leading to data loss, service disruption, or further compromise of the server.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update my little forum to version 20260208.1 or later, where the issue with filtering the phar:// protocol in URL validation has been fixed.

Until the update is applied, consider disabling or restricting the image upload feature to prevent attackers from uploading malicious Phar Polyglot files disguised as JPEGs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25923. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart