Vulnerability Management 10-year-old phpBB vulnerability allows admin account takeover June 12, 2026 Share By SC Staff (Adobe Stock) A 10-year-old authentication bypass vulnerability in the phpBB forum software allows attackers to log in as any user, including administrators. The flaw, which does not have an identifier, is easily exploitable with a single HTTP request and impacts phpBB versions 4.0.0-a2 or 3.3.16 and below. Researchers at Aikido discovered the bug and reported it through phpBB's HackerOne Vulnerability Disclosure Program, as reported by Bleeping Computer. The vulnerability, introduced 10 years ago, affects all versions of the 3.x and 4.x release branches up to the specified versions. While a fix is available for the 3.x branch in version 3.3.17, no fix is yet available for the 4.x branch. Exploiting the bug requires no special configuration and can be triggered on default settings. Administrator access could allow attackers to view private messages, create or delete content and user accounts, impersonate staff, or deface websites. The member list on phpBB forums is public by default, making target selection straightforward. Remote code execution is not possible due to a separate password check for the Admin Control Panel. Aikido withheld technical details to allow administrators time to update and has contacted large phpBB forum administrators directly. Updates may cause issues with OAuth authentication, but this is expected to be a simple fix. Source: Bleeping Computer SC Staff Related Patch/Configuration Management Siemens Desigo CC patch files falsely flagged as malware SC Staff June 11, 2026 The issue affects patch files for Desigo CC versions 7 through 9. Patch/Configuration Management CISA directs federal agencies on prioritization of cyber vulnerabilities SC Staff June 10, 2026 The new directive, BOD 26-04, mandates that federal agencies focus on vulnerabilities that affect publicly exposed assets, can be fully automated by attackers, allow for complete system control, or show evidence of active exploitation. Vulnerability Management Ivanti releases patches for critical Sentry vulnerabilities SC Staff June 10, 2026 The vulnerabilities, tracked as CVE-2026-10520 and CVE-2026-10523, affect Ivanti Sentry, formerly MobileIron Sentry, which secures traffic between corporate systems and mobile devices. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds