CVE-2025-70810 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting phpBB. This flaw allows an attacker to potentially execute arbitrary code by exploiting the login function and authentication mechanism. The vulnerability impacts phpBB versions 3.3.15 and earlier. A fix is expected in a future phpBB release.
Impact and Attack Scenarios
A successful CSRF attack could allow an attacker to perform actions on behalf of an authenticated user without their knowledge or consent. In the context of phpBB, this could involve modifying user profiles, posting unauthorized content, or even gaining administrative access if the targeted user has elevated privileges. The attacker would need to craft malicious requests that trick the user into unknowingly submitting them, potentially through phishing or social engineering techniques. The blast radius depends on the user's permissions; an administrator account compromise would have the most significant impact.
Exploitation Context
The vulnerability was published on 2026-04-09. Exploitation context is currently limited, with no public Proof-of-Concept (POC) code available. The vulnerability's severity is pending evaluation. Monitor security advisories and vendor updates for further information and potential exploitation patterns.
Threat Intelligence
Exploit Status
EPSS
0.03% (8% percentile)
Affected Software
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
Until a patched version of phpBB is released, implement defensive measures to mitigate the risk. Consider implementing strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed. Employ input validation and output encoding to sanitize user-supplied data. Implement CSRF tokens on all sensitive actions, such as profile updates and administrative functions. Web application firewalls (WAFs) configured with CSRF protection rules can also provide an additional layer of defense. Regularly monitor logs for suspicious activity related to login attempts and authentication failures.
How to fix
Actualice phpBB a una versión corregida para mitigar el riesgo de Cross-Site Request Forgery (CSRF). Consulte la documentación oficial de phpBB para obtener instrucciones detalladas sobre cómo actualizar su instalación. Asegúrese de realizar una copia de seguridad de su base de datos antes de realizar cualquier actualización.
Frequently asked questions
What is CVE-2025-70810 — CSRF in phpBB?
CVE-2025-70810 is a Cross-Site Request Forgery (CSRF) vulnerability affecting phpBB versions 3.3.15 and earlier. It allows attackers to potentially execute arbitrary code via the login function and authentication mechanism.
Am I affected by CVE-2025-70810 in phpBB?
If you are running phpBB version 3.3.15 or earlier, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
How do I fix CVE-2025-70810 in phpBB?
The official fix is expected in a future phpBB release. Until then, implement mitigation strategies such as CSP headers, input validation, CSRF tokens, and WAF rules.
Is CVE-2025-70810 being actively exploited?
Currently, there is no public evidence of active exploitation. However, the vulnerability is publicly known, and exploitation is possible.
Where can I find the official phpBB advisory for CVE-2025-70810?
Refer to the official phpBB security announcements page for updates and advisories related to CVE-2025-70810: [https://www.phpbb.com/support/security/](https://www.phpbb.com/support/security/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...