CVE-2026-25923 affects My-Little-Forum, a PHP and MySQL-based internet forum software that displays messages in a threaded view. The vulnerability is due to insufficient validation of the phar:// protocol in URLs during the image upload feature, allowing attackers to upload a malicious Phar polyglot file disguised as a JPEG image. Phar files can contain serialized PHP objects, and when processed improperly, can trigger deserialization vulnerabilities. In this case, the forum software processes BBCode [img] tags that reference the uploaded image, which leads to Phar deserialization. This deserialization is exploited in combination with a known Property-Oriented Programming (POP) chain in Smarty 4.1.0, a popular PHP templating engine used by the forum. The POP chain enables attackers to perform arbitrary file deletion on the server, compromising the integrity and availability of the forum data and potentially other files on the host. The vulnerability requires no authentication or user interaction, making it remotely exploitable by any attacker who can upload images. The issue is tracked under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-502 (Deserialization of Untrusted Data). The vendor fixed this vulnerability in version 20260208.1. Although no active exploits are reported, the high CVSS score (8.7) reflects the critical nature of the flaw and the ease of exploitation.

For European organizations using My-Little-Forum, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their forum data and potentially the underlying server environment. Attackers can delete arbitrary files, which could disrupt business communications, damage reputations, and cause data loss. Since the exploit requires no authentication or user interaction, any public-facing forum instance is at risk of remote compromise. This could lead to service outages, loss of user trust, and potential regulatory compliance issues under GDPR if personal data is affected. Organizations relying on My-Little-Forum for community engagement or customer support could face operational disruptions and increased incident response costs. The lack of known exploits in the wild currently reduces immediate risk, but the vulnerability’s public disclosure and high severity make rapid patching essential to prevent future attacks.

European organizations should immediately upgrade My-Little-Forum to version 20260208.1 or later, where the vulnerability is fixed. If upgrading is not immediately possible, implement strict input validation and filtering to block phar:// protocol URLs in image uploads and BBCode processing. Disable or restrict the use of BBCode [img] tags referencing user-uploaded content until patched. Review and harden file upload handling by enforcing strict MIME type checks and file extension whitelisting. Monitor forum logs for suspicious upload attempts or unusual file deletion activities. Employ web application firewalls (WAFs) with custom rules to detect and block exploitation attempts involving phar:// URLs or malformed BBCode. Additionally, consider isolating the forum server with limited file system permissions to minimize the impact of potential file deletions. Regularly audit and back up forum data to enable recovery in case of compromise.