A Cross-Site Request Forgery (CSRF) vulnerability has been identified in phpBB, affecting versions 3.3.15 and earlier. This flaw allows a malicious actor to potentially execute arbitrary code through the Admin Control Panel's icon management functionality. Successful exploitation could lead to unauthorized modifications to the phpBB installation and compromise of the underlying server. A fix is expected from the phpBB development team.
Impact and Attack Scenarios
The CSRF vulnerability in phpBB's Admin Control Panel icon management allows an attacker to craft malicious requests that appear to originate from a legitimate administrator. By tricking an authenticated administrator into clicking a crafted link or visiting a malicious webpage, the attacker can execute arbitrary code within the phpBB environment. This could involve modifying forum settings, installing malicious extensions, or even gaining complete control over the server hosting the phpBB installation. The blast radius extends to all users of the forum, as compromised administrative accounts can impact the entire community. While this specific vulnerability doesn't have a direct precedent, CSRF vulnerabilities in similar administrative interfaces have historically been exploited to gain unauthorized access and control.
Exploitation Context
The vulnerability was published on 2026-04-09. Its inclusion on KEV (Known Exploited Vulnerabilities) or EPSS (Exploit Prediction Scoring System) is currently unknown. Public proof-of-concept (POC) code is not yet available, but the nature of CSRF vulnerabilities suggests that it is likely to be developed and shared once the vulnerability is widely recognized. Monitor security advisories and threat intelligence feeds for updates.
Threat Intelligence
Exploit Status
EPSS
0.02% (4% percentile)
Affected Software
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-70811 is to upgrade to a patched version of phpBB as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. One approach is to implement strict Content Security Policy (CSP) headers to restrict the origins from which scripts can be executed. Additionally, enable CSRF protection mechanisms within the phpBB configuration, if available. A Web Application Firewall (WAF) configured to detect and block CSRF attacks can also provide a layer of defense. Monitor phpBB forums for reports of exploitation attempts.
How to fix
Actualice phpBB a una versión corregida para mitigar la vulnerabilidad de Cross-Site Request Forgery (CSRF) en la funcionalidad de gestión de iconos del panel de control de administración. Consulte las notas de la versión de phpBB para obtener instrucciones específicas de actualización.
Frequently asked questions
What is CVE-2025-70811 — SSRF in phpBB?
CVE-2025-70811 is a Cross-Site Request Forgery (CSRF) vulnerability affecting phpBB versions 3.3.15 and earlier. It allows attackers to potentially execute arbitrary code through the Admin Control Panel's icon management functionality.
Am I affected by CVE-2025-70811 in phpBB?
If you are running phpBB version 3.3.15 or earlier, you are potentially affected by this vulnerability. Check your phpBB version and upgrade as soon as a patch is available.
How do I fix CVE-2025-70811 in phpBB?
The recommended fix is to upgrade to a patched version of phpBB as soon as it is released by the phpBB development team. Until then, implement temporary workarounds like CSP and WAF rules.
Is CVE-2025-70811 being actively exploited?
While no active exploitation has been publicly confirmed, the nature of CSRF vulnerabilities suggests that exploitation is likely once POC code becomes available. Monitor security advisories.
Where can I find the official phpBB advisory for CVE-2025-70811?
Refer to the official phpBB security announcements page: https://www.phpbb.com/support/security/
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...