PhpBB authentication bypass flaw
Vulnerability
Summary
Hide ▲
Show ▼
A critical phpBB authentication bypass now exposes versions up to 3.3.16 and the 4.0.0 alpha to account takeover, including administrators, through one unauthenticated request. The flaw affects standard installs in default database-authentication mode, so a normal deployment can be vulnerable out of the box. phpBB 3.3.17 is the complete fix and affected operators need to upgrade.
Related Happenings
Kirki privilege escalation flaw actively exploited (CVE-2026-8206)
Vulnerability
H score89
First: 03.06.2026 01:12
Last: 03.06.2026 01:12
Sources 1
About this happening:
**CVE-2026-8206** in **Kirki - Freeform Page Builder, Website Builder & Customizer** is being actively exploited to hijack WordPress accounts, including **administrator** accounts...
Kirki privilege escalation flaw actively exploited (CVE-2026-8206)
VulnerabilityAbout this happening: **CVE-2026-8206** in **Kirki - Freeform Page Builder, Website Builder & Customizer** is being actively exploited to hijack WordPress accounts, including **administrator** accounts...
Cursor local SQLite secret-storage exposing credentials security flaw
Vulnerability
H score25
First: 29.04.2026 18:00
Last: 29.04.2026 18:00
Sources 1
About this happening:
A **high-severity** **Cursor** flaw lets installed extensions read secrets stored locally, exposing **API keys** and **session tokens** without user interaction. The weakness stem...
Cursor local SQLite secret-storage exposing credentials security flaw
VulnerabilityAbout this happening: A **high-severity** **Cursor** flaw lets installed extensions read secrets stored locally, exposing **API keys** and **session tokens** without user interaction. The weakness stem...
Modular DS WordPress plugin unauthenticated privilege escalation (CVE-2026-23550)
Vulnerability
H score45
First: 15.01.2026 17:31
Last: 15.01.2026 17:31
Sources 1
About this happening:
Active exploitation of **CVE-2026-23550** in the **Modular DS WordPress plugin** puts **all versions through 2.5.1** at risk of **unauthenticated privilege escalation**. The flaw...
Modular DS WordPress plugin unauthenticated privilege escalation (CVE-2026-23550)
VulnerabilityAbout this happening: Active exploitation of **CVE-2026-23550** in the **Modular DS WordPress plugin** puts **all versions through 2.5.1** at risk of **unauthenticated privilege escalation**. The flaw...
Latest development: 15.01.2026 22:49
Modular DS released version 2.5.2 to fix CVE-2026-23550 after Patchstack confirmed the flaw and contacted the vendor. The update removed URL-based route matching, drove routing entirely through validated filter logic, added a default 404 route, and made unrecognized requests fail safely.
Timeline
-
09.06.2026 17:00 2 articles · 3d ago
phpBB authentication bypass reported to vendor
Initial DisclosureDan Stefan Alexandru of Pentest-Tools.com discovered PTT-2026-004, a phpBB authentication bypass, and reported it to phpBB on June 4, 2026. The flaw can let an attacker hijack any account, including administrators, with a single unauthenticated request and no password, and it affects phpBB versions up to 3.3.16 in default database-authentication mode and the 4.0.0 alpha.
Show sources
- Critical phpBB Flaw Lets Attackers Hijack Any Account with One Request — www.infosecurity-magazine.com — 09.06.2026 17:00
- Critical phpBB Flaw Lets Attackers Hijack Any Account with One Request — www.infosecurity-magazine.com — 09.06.2026 17:00
-
09.06.2026 17:00 2 articles · 3d ago
phpBB 3.3.17 fixes the authentication bypass
Mitigation Patch UpdatephpBB released version 3.3.17 on June 6, 2026, fixing PTT-2026-004 as the complete fix for the authentication bypass. Administrators were urged to upgrade vulnerable phpBB installations running versions up to 3.3.16 or the 4.0.0 alpha to remove the account-takeover risk.
Show sources
- Critical phpBB Flaw Lets Attackers Hijack Any Account with One Request — www.infosecurity-magazine.com — 09.06.2026 17:00
- phpBB forum fixes auth bypass bug lurking for a decade — www.bleepingcomputer.com — 12.06.2026 21:19