CVE-2008-3093
ImperialBB < 2.3.5 - Authenticated Arbitrary PHP Code Execution via Avatar Upload
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2008-3093. PoCs published by PHPLizardo.
AI-analyzed exploit summary This exploit demonstrates a remote file upload vulnerability in ImperialBB <= 2.3.5 by tampering with the mime-type during avatar upload, allowing arbitrary PHP code execution.
Description
Unrestricted file upload vulnerability in ImperialBB 2.3.5 and earlier allows remote authenticated users to upload and execute arbitrary PHP code by placing a .php filename in the Upload_Avatar parameter and sending the image/gif content type.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by PHPLizardo · phpwebappsphp
https://www.exploit-db.com/exploits/6008
This exploit demonstrates a remote file upload vulnerability in ImperialBB <= 2.3.5 by tampering with the mime-type during avatar upload, allowing arbitrary PHP code execution.
Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target:
ImperialBB <= 2.3.5
Auth required
Prerequisites:
Valid user credentials · Access to the User Control Panel
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (5)
Core 5
Core References
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/30939
Various Sources x_refsource_misc
http://phplizardo.breizh-web.net/blog/2008/07/05/advisory-1-imperialbb
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/30100
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/6008
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/43608
Scores
EPSS
0.0217
EPSS Percentile
80.0%
Details
CWE
CWE-94
Status
published
Products (1)
phplizardo/imperialbb
< 2.3.5
Published
Jul 09, 2008
Tracked Since
Feb 18, 2026