CVE-2026-25923

Name of the Vulnerable Software and Affected Versions my little forum versions prior to 20260208.1

Description The application does not properly filter the phar:// protocol in URL validation. This allows attackers to upload a malicious Phar Polyglot file, disguised as a JPEG, through the image upload feature. The application then triggers Phar deserialization through BBCode [img] tag processing and exploits a Smarty 4.1.0 Property-Oriented Programming (POP) chain, leading to arbitrary file deletion. The vulnerable component is the image upload feature, which processes BBCode tags. The API endpoint involved is the image upload functionality. The vulnerable parameter is the image file itself.

Recommendations Update my little forum to version 20260208.1 or later.