CVE-2019-25685
Arbitrary File Upload in phpBB plupload Enables Remote Code Execution
Publication date: 2026-04-05
Last updated on: 2026-04-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpbb | phpbb | to 3.2.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in phpBB allows authenticated attackers to upload malicious files by exploiting the plupload functionality and the phar:// stream wrapper.
Attackers can upload a specially crafted zip file containing serialized PHP objects that execute arbitrary code when deserialized through the imagick parameter in attachment settings.
How can this vulnerability impact me? :
The vulnerability can lead to arbitrary code execution on the affected system, allowing attackers to run malicious code with the privileges of the phpBB application.
This can result in unauthorized access, data compromise, system manipulation, or further exploitation of the server hosting phpBB.