CVE-2025-46171

Published Jul 23, 2025

Last updated 8 months ago

CVSS medium 5.4

Overview

Description
vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.
Source
cve@mitre.org
NVD status
Analyzed
Products
vbulletin

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.4
Impact score
2.5
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-400

Social media

Hype score
Not currently trending

  1. CVE-2025-46171 vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, p… https://t.co/UUzSQqEwsf

    @CVEnew

    23 Jul 2025

    303 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.CVE-2025-48828
  2. vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.CVE-2025-48827
  3. vBulletin PHP Module Remote Code Execution VulnerabilityCVE-2020-17496
  4. vBulletin PHP Module Remote Code Execution VulnerabilityCVE-2019-16759

References

Sources include official advisories and independent security research.