CVE-2026-48611

CRITICAL · 9.8 EPSS 0.4%

hype LIKELY HACK · 72 hack

Working PoC demonstrated in forum, real impact shown, but no official vendor patch or KEV listing yet.

What: Improper authentication in OAuth implementation allows account hijacking in phpBB even when OAuth is disabled; affects default installations (CVSS 9.8 CRITICAL).

Why it matters: Published today with CRITICAL score and demonstrated account hijacking (admin account takeover reported on forum). No KEV listing yet, but real-world proof shown in social posts. Default configurations vulnerable, affecting widespread phpBB deployments.

Where it's seen: Social chatter emphasizes severity and real demonstration; vulnerability aggregator coverage active same day. No vendor advisory or patch timeline visible in posts, but exploitation proof already circulating informally.

RISK: CRITICAL — Default installation account hijacking, CVSS 9.8, demonstrated exploitation same-day publication.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/12/2026, 8:04:36 PM

Description

Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.

CVSS 3.0 breakdown

Exploitability 3.9 · Impact 5.9

vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack vector: Network
Complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Weaknesses

CWE-287

References

Other · 1

https://www.phpbb.com/community/viewtopic.php?t=2672170