CVE-2026-25923

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25923
my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1 Product Release Notes
https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fw Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mylittleforum:my_little_forum:*:*:*:*:*:*:*:*
History

17 Mar 2026, 20:30

Type Values Removed Values Added
First Time Mylittleforum
Mylittleforum my Little Forum
CPE cpe:2.3:a:mylittleforum:my_little_forum:*:*:*:*:*:*:*:*
References () https://github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1 - () https://github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1 - Product, Release Notes
References () https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fw - () https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fw - Exploit, Mitigation, Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1
Summary
  • (es) mi pequeño foro es un foro de internet basado en PHP y MySQL que muestra los mensajes en vista clásica de hilos. Antes de 20260208.1, la aplicación no filtra el protocolo phar:// en la validación de URL, permitiendo a los atacantes subir un archivo Phar Polyglot malicioso (disfrazado como JPEG) a través de la función de subida de imágenes, activar la deserialización de Phar a través del procesamiento de la etiqueta BBCode [img], y explotar la cadena POP de Smarty 4.1.0 para lograr la eliminación arbitraria de archivos. Esta vulnerabilidad está corregida en 20260208.1.

09 Feb 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-09 22:16

Updated : 2026-03-17 20:30

NVD link : CVE-2026-25923

Mitre link : CVE-2026-25923

CVE.ORG link : CVE-2026-25923

JSON object : View

Products Affected

mylittleforum

  • my_little_forum
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-502

Deserialization of Untrusted Data