CVE-2026-25923: CWE-434: Unrestricted Upload of File with Dangerous Type in My-Little-Forum mylittleforum
my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.
CVE-2026-25923: CWE-434: Unrestricted Upload of File with Dangerous Type in My-Little-Forum mylittleforum
Description
my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-09T16:22:17.785Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 698a5caf4b57a58fa174d539
Added to database: 2/9/2026, 10:16:15 PM
Last updated: 2/9/2026, 10:16:33 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25925: CWE-502: Deserialization of Untrusted Data in modery PowerDocu
HighCVE-2026-25808: CWE-862: Missing Authorization in fedify-dev hollo
HighCVE-2026-25807: CWE-94: Improper Control of Generation of Code ('Code Injection') in TaklaXBR zai-shell
HighCVE-2025-15317: Allocation of Resources Without Limits or Throttling in Tanium Tanium Server
MediumCVE-2025-15316: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in Tanium Tanium Server
MediumActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.