Vbulletin: >> Vbulletin >> 5.6.3 Security Vulnerabilities
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
CVSS Score
10.0
EPSS Score
0.17
Published
2025-05-27
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-09-16
The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
Page 1