CVE-2026-25923
Published: 09 February 2026
Summary
CVE-2026-25923 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Mylittleforum My Little Forum. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25923 is a high-severity vulnerability in My Little Forum, a PHP and MySQL-based internet forum software that uses a classical threaded view for messages. In versions prior to 20260208.1, the application fails to filter the phar:// protocol during URL validation. This flaw enables attackers to upload malicious Phar Polyglot files disguised as JPEG images via the image upload feature, leading to Phar deserialization when processed through BBCode [img] tag handling and exploitation of a Smarty 4.1.0 POP chain. The issue is linked to CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-502 (Deserialization of Untrusted Data), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By uploading the disguised Phar file and subsequently referencing it in a BBCode [img] tag, attackers can trigger deserialization and execute the Smarty POP chain, resulting in arbitrary file deletion on the server. This grants significant impact to file integrity and availability without affecting confidentiality.
The vulnerability is addressed in My Little Forum version 20260208.1. Official mitigation guidance is available in the GitHub release notes at https://github.com/My-Little-Forum/mylittleforum/releases/tag/20260208.1 and the security advisory at https://github.com/My-Little-Forum/mylittleforum/security/advisories/GHSA-wr9p-3c3g-78fw, which detail the patch and recommend immediate upgrading.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6251
Vulnerability details
my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar…
more
Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing forum app via malicious file upload and deserialization directly enables T1190; resulting arbitrary file deletion maps to T1485 Data Destruction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, testing, and application of patches, directly addressing the failure to filter phar:// protocol fixed in My Little Forum version 20260208.1.
SI-10 requires validation of uploaded files and BBCode URLs to block malicious Phar polyglots and phar:// deserialization triggers.
SI-9 enforces restrictions on file uploads to permit only safe image types, preventing disguised Phar polyglot files from being accepted.