phpBB OAuth improper state verification + CSRF session hijack; CVSS 8.0; fixed 3.3.17

cve · CVE-2026-48612

Coverage timeline

first 2026-06-16 → last 2026-06-16

Briefs

1 distinct

Sources cited

32 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-06-16CTI Daily Brief — 2026-06-16

Source distribution

attack.mitre.org4 (9%)
securityweek.com3 (7%)
thehackernews.com3 (7%)
bleepingcomputer.com2 (5%)
github.com2 (5%)
helpnetsecurity.com2 (5%)
learn.microsoft.com2 (5%)
pentest-tools.com1 (2%)
other24 (56%)

Related entities

Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
phpBB unauthenticated OAuth auth-bypass to admin (CVE-2026-48611, CVSS 9.8) + CSRF CVE-2026-48612; fixed 3.3.17
cveCVE-2026-48611×1

External references

NVD · cve.org · CISA KEV

All cited sources (43)

Items in briefs about phpBB OAuth improper state verification + CSRF session hijack; CVSS 8.0; fixed 3.3.17 (1)

CVE-2026-48611 / CVE-2026-48612 — phpBB: unauthenticated authentication bypass to admin, one HTTP request

From CTI Daily Brief — 2026-06-16 · published 2026-06-16 · view item permalink →

Pentest-Tools.com disclosed two authentication flaws in phpBB, the open-source forum software common across European universities, municipalities and community portals (Pentest-Tools.com, 2026-06-08). CVE-2026-48611 (NVD CVSS 9.8) is an improper-authentication flaw in the OAuth implementation that allows account hijacking — including admin accounts — even when OAuth is not configured, reachable by a single unauthenticated request given only a target username (publicly visible via the member list) (NVD). CVE-2026-48612 (CVSS 8.0) chains improper OAuth state verification with CSRF to hijack a logged-in session on OAuth-enabled boards. Both affect phpBB 3.1.0 through 3.3.16 (a 10-year release span) and 4.0.0-alpha, and are fixed in phpBB 3.3.17 (phpBB, 2026-06-06). The disclosing source does not publish exploit code, and no in-the-wild exploitation is reported yet. Upgrade immediately for any internet-reachable instance; if upgrade is delayed, disable the OAuth integration even if unused.

CVE Summary Table

CVE	Product	CVSS	EPSS	KEV	Exploited	Patch	Source
CVE-2026-20262	Cisco Catalyst SD-WAN Manager	6.5	n/a	Yes	Yes (ITW)	20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2	Cisco PSIRT
CVE-2026-54420	LiteSpeed cPanel/WHM plugin	8.5	n/a	Yes	Yes (ITW, May 2026)	WHM PlugIn version 5.3.2.1 / plugin 2.4.8	LiteSpeed
CVE-2026-48611	phpBB 3.1.0–3.3.16, 4.0.0-alpha	9.8	n/a	No	No	phpBB 3.3.17	Pentest-Tools.com
CVE-2026-48612	phpBB (OAuth-enabled)	8.0	n/a	No	No	phpBB 3.3.17	Pentest-Tools.com