CVE-2016-6195

CRITICAL EXPLOITED IN THE WILD NUCLEI

vBulletin <4.2.2 PL5 & <4.2.3 PL1 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-6195 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including Manish Tanwar, vaishakhcv, winterwolf32. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates SQL injection in vBulletin's forumrunner addon, allowing enumeration of table names, column names, and user credentials via crafted HTTP requests.

Description

SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Manish Tanwar · textwebappsphp
https://www.exploit-db.com/exploits/40751

This exploit demonstrates SQL injection in vBulletin's forumrunner addon, allowing enumeration of table names, column names, and user credentials via crafted HTTP requests.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: vBulletin <= 4.2.3
No auth needed
Prerequisites: Access to the forumrunner endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 1 stars
by vaishakhcv · perlpoc
https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2016-6195

The repository contains a functional Perl script that exploits a SQL injection vulnerability in vBulletin's ForumRunner plugin (CVE-2016-6195). The exploit sends crafted HTTP requests to extract sensitive data from the database, including user credentials and table names.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: vBulletin (before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1)
No auth needed
Prerequisites: Target running vulnerable vBulletin version with ForumRunner plugin · Network access to the target
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC
by winterwolf32 · perlpoc
https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2016-6195

The repository contains a functional Perl script that exploits a SQL injection vulnerability in vBulletin's ForumRunner plugin (CVE-2016-6195). The exploit sends crafted HTTP requests to extract sensitive data from the database, including user credentials.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: vBulletin (before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1)
No auth needed
Prerequisites: target URL · ForumRunner plugin installed
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

vBulletin <= 4.2.3 - SQL Injection
CRITICALVERIFIEDby MaStErChO
Shodan: title:"Powered By vBulletin" || http.html:"powered by vbulletin" || http.component:"vbulletin" || http.title:"powered by vbulletin" || cpe:"cpe:2.3:a:vbulletin:vbulletin"
FOFA: body="powered by vbulletin" || title="powered by vbulletin"

References (4)

Core 4
Core References
Various Sources x_refsource_misc
https://github.com/drewlong/vbully
Vendor Advisory x_refsource_confirm
http://www.vbulletin.org/forum/showthread.php?t=322848
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92687
Technical Description, Third Party Advisory x_refsource_misc
https://enumerated.wordpress.com/2016/07/11/1/

Scores

CVSS v3 9.8
EPSS 0.6587
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2016-08-30
InTheWild.io 2017-08-21
CWE
CWE-89
Status published
Products (2)
vbulletin/vbulletin 4.2.3
vbulletin/vbulletin < 4.2.2
Published Aug 30, 2016
Tracked Since Feb 18, 2026