CVE-2026-25923

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions my little forum versions prior to 20260208.1

Description The application does not properly filter the phar:// protocol in URL validation. This allows attackers to upload a malicious Phar Polyglot file, disguised as a JPEG, through the image upload feature. The application then triggers Phar deserialization through BBCode [img] tag processing and exploits a Smarty 4.1.0 Property-Oriented Programming (POP) chain, leading to arbitrary file deletion. The vulnerable component is the image upload feature, which processes BBCode tags. The API endpoint involved is the image upload functionality. The vulnerable parameter is the image file itself.

Recommendations Update my little forum to version 20260208.1 or later.

Exploit

Fix

Deserialization of Untrusted Data

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-434

Related Identifiers

CVE-2026-25923

GHSA-WR9P-3C3G-78FW

Affected Products

Smarty

My Little Forum

CVE-2026-25923

Weakness Enumeration

Related Identifiers

Affected Products

References · 6