Home · Briefs · CTI Daily Brief — 2026-06-16
CVE-2026-48611 / CVE-2026-48612 — phpBB: unauthenticated authentication bypass to admin, one HTTP request
From CTI Daily Brief — 2026-06-16 · published 2026-06-16
Pentest-Tools.com disclosed two authentication flaws in phpBB, the open-source forum software common across European universities, municipalities and community portals (Pentest-Tools.com, 2026-06-08). CVE-2026-48611 (NVD CVSS 9.8) is an improper-authentication flaw in the OAuth implementation that allows account hijacking — including admin accounts — even when OAuth is not configured, reachable by a single unauthenticated request given only a target username (publicly visible via the member list) (NVD). CVE-2026-48612 (CVSS 8.0) chains improper OAuth state verification with CSRF to hijack a logged-in session on OAuth-enabled boards. Both affect phpBB 3.1.0 through 3.3.16 (a 10-year release span) and 4.0.0-alpha, and are fixed in phpBB 3.3.17 (phpBB, 2026-06-06). The disclosing source does not publish exploit code, and no in-the-wild exploitation is reported yet. Upgrade immediately for any internet-reachable instance; if upgrade is delayed, disable the OAuth integration even if unused.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-20262 | Cisco Catalyst SD-WAN Manager | 6.5 | n/a | Yes | Yes (ITW) | 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2 | Cisco PSIRT |
| CVE-2026-54420 | LiteSpeed cPanel/WHM plugin | 8.5 | n/a | Yes | Yes (ITW, May 2026) | WHM PlugIn version 5.3.2.1 / plugin 2.4.8 | LiteSpeed |
| CVE-2026-48611 | phpBB 3.1.0–3.3.16, 4.0.0-alpha | 9.8 | n/a | No | No | phpBB 3.3.17 | Pentest-Tools.com |
| CVE-2026-48612 | phpBB (OAuth-enabled) | 8.0 | n/a | No | No | phpBB 3.3.17 | Pentest-Tools.com |