CVE-2025-48827CRITICAL 9.8EPSS p99.3%

CVE-2025-48827CVE-2025-48827

Description

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS69.65% probability of exploitation · percentile 99.3% · 2026-06-18T12:00:27Z
Published2025-05-27
Last modified2025-06-25

Underlying weaknesses· 1

CWE-424

References

  1. https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
  2. https://kevintel.com/CVE-2025-48827
  3. https://blog.kevintel.com/vbulletin-replaceadtemplate-kev/

1

TypeTargetConfidenceTier
WeaknessImproper Protection of Alternate Pathcwe-4240%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-48828
CVE
CVE-2025-58668
CVE
CVE-2025-71281
CVE
CVE-2025-50706
CVE
CVE-2025-44022
CVE
CVE-2025-4855
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.