Cyber Resilience

CVE-2026-25923

HighPublic PoCRCE

Published: 09 February 2026

Published
09 February 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25923 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Mylittleforum My Little Forum. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25923 is a high-severity vulnerability in My Little Forum, a PHP and MySQL-based internet forum software that uses a classical threaded view for messages. In versions prior to 20260208.1, the application fails to filter the phar:// protocol during URL validation. This flaw enables attackers to upload malicious Phar Polyglot files disguised as JPEG images via the image upload feature, leading to Phar deserialization when processed through BBCode [img] tag handling and exploitation of a Smarty 4.1.0 POP chain. The issue is linked to CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-502 (Deserialization of Untrusted Data), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By uploading the disguised Phar file and subsequently referencing it in a BBCode [img] tag, attackers can trigger deserialization and execute the Smarty POP chain, resulting in arbitrary file deletion on the server. This grants significant impact to file integrity and availability without affecting confidentiality.

The vulnerability is addressed in My Little Forum version 20260208.1. Official mitigation guidance is available in the GitHub release notes at https://github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1 and the security advisory at https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fw, which detail the patch and recommend immediate upgrading.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar…

more

Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Remote unauthenticated exploitation of public-facing forum app via malicious file upload and deserialization directly enables T1190; resulting arbitrary file deletion maps to T1485 Data Destruction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7384Shared CWE-502
CVE-2026-2113Shared CWE-434, CWE-502
CVE-2026-3017Shared CWE-502
CVE-2025-12352Shared CWE-434
CVE-2025-62368Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2026-43633Shared CWE-502
CVE-2026-25429Shared CWE-502

Affected Assets

mylittleforum
my little forum
≤ 20260208.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, testing, and application of patches, directly addressing the failure to filter phar:// protocol fixed in My Little Forum version 20260208.1.

prevent

SI-10 requires validation of uploaded files and BBCode URLs to block malicious Phar polyglots and phar:// deserialization triggers.

prevent

SI-9 enforces restrictions on file uploads to permit only safe image types, preventing disguised Phar polyglot files from being accepted.

References