CVE-2019-16759

CRITICAL KEV NUCLEI

vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2019-16759 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 17 public exploits from researchers including r00tpgp, anonymous, jas502n, including a Metasploit module exploits/multi/http/vbulletin_widget_template_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a Metasploit module exploiting CVE-2019-16759, a pre-authentication remote code execution vulnerability in vBulletin 5.x. It leverages a widget rendering endpoint to execute arbitrary PHP code.

Description

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Exploits (17)

exploitdb WORKING POC
by r00tpgp · rubywebappsphp
https://www.exploit-db.com/exploits/47437

This is a Metasploit module exploiting CVE-2019-16759, a pre-authentication remote code execution vulnerability in vBulletin 5.x. It leverages a widget rendering endpoint to execute arbitrary PHP code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.0.0 to 5.5.4
No auth needed
Prerequisites: Network access to the target vBulletin instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by anonymous · pythonwebappsphp
https://www.exploit-db.com/exploits/47447

This exploit leverages a pre-authentication remote code execution vulnerability in vBulletin 5.x by injecting arbitrary commands via the 'widgetConfig[code]' parameter in an AJAX request. It establishes an interactive shell by executing system commands through 'shell_exec'.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.0.0 to 5.5.4
No auth needed
Prerequisites: Target URL of a vulnerable vBulletin instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 21 stars
by jas502n · remote
https://github.com/jas502n/CVE-2019-16759

This repository contains a functional Python exploit for CVE-2019-16759, a pre-authentication remote code execution vulnerability in vBulletin 5.x (versions 5.0.0 to 5.5.4). The exploit leverages the 'widget_php' endpoint to execute arbitrary commands via the 'widgetConfig[code]' parameter, with a verification mechanism using an MD5 hash to confirm successful execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.x (5.0.0 to 5.5.4)
No auth needed
Prerequisites: Target running vulnerable vBulletin version · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 20 stars
by theLSA · remote
https://github.com/theLSA/vbulletin5-rce

This repository contains a functional Python exploit for CVE-2019-16759, a remote code execution vulnerability in vBulletin 5.0.0-5.5.4. The exploit leverages the `widgetConfig[code]` parameter in the `ajax/render/widget_php` endpoint and includes a bypass for patched versions using `subWidgets[0][config][code]` in the `widget_tabbedcontainer_tab_panel` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.0.0-5.5.4
No auth needed
Prerequisites: Network access to the target vBulletin instance · Python 2.7 with the `requests` library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by 0xdims · infoleak
https://github.com/0xdims/CVE-2019-16759

This repository contains a functional exploit for CVE-2019-16759, a pre-authentication remote code execution vulnerability in vBulletin 5.x. The script extracts email addresses and SMTP credentials from the database by leveraging a widget template injection flaw.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 5.x
No auth needed
Prerequisites: target URL list · vBulletin 5.x instance with vulnerable endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by M0sterHxck · remote
https://github.com/M0sterHxck/CVE-2019-16759-Vbulletin-rce-exploit

This repository contains a functional Python exploit for CVE-2019-16759, a pre-authentication remote code execution vulnerability in vBulletin 5.x. The exploit leverages the 'widget_php' endpoint to execute arbitrary commands via the 'widgetConfig[code]' parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.0.0 to 5.5.4
No auth needed
Prerequisites: Target URL of a vulnerable vBulletin instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by andripwn · remote
https://github.com/andripwn/pwn-vbulletin

This repository contains functional exploit code for CVE-2019-16759, a pre-authentication remote code execution vulnerability in vBulletin 5.0.0 to 5.5.4. The exploit leverages a widget configuration parameter to execute arbitrary commands via shell_exec.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.0.0 - 5.5.4
No auth needed
Prerequisites: Target running vulnerable vBulletin instance · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by FarjaalAhmad · remote
https://github.com/FarjaalAhmad/CVE-2019-16759

This repository contains a functional exploit for CVE-2019-16759, which targets an unauthenticated remote code execution vulnerability in vBulletin versions 5.0 to 5.5.4 via the 'widget_php' parameter. The exploit sends crafted POST requests to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.0 < 5.5.4
No auth needed
Prerequisites: Target vBulletin instance accessible via HTTP/HTTPS · Python 3 environment with 'requests' library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 3 stars
by r00tpgp · remote
https://github.com/r00tpgp/http-vuln-CVE-2019-16759

This repository contains an NSE script for Nmap that detects the presence of CVE-2019-16759, a pre-authentication RCE vulnerability in vBulletin 5.x versions 5.0.0 to 5.5.4. The script scans for the vulnerability but does not include exploit code.

Classification
Scanner 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.x (5.0.0 to 5.5.4)
No auth needed
Prerequisites: Nmap installed · Network access to target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 1 stars
by ludy-dev · remote
https://github.com/ludy-dev/vBulletin_Routestring-RCE

The repository contains a Python script that scans for CVE-2019-16759 by checking for specific endpoints in vBulletin. It does not include functional exploit code for remote code execution but verifies the presence of vulnerable paths.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.0.0 to 5.6.2
No auth needed
Prerequisites: Network access to the target vBulletin instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by nako48 · remote
https://github.com/nako48/CVE-2019-16759

The repository contains functional exploit scripts for CVE-2019-16759, a remote code execution vulnerability in vBulletin. The scripts demonstrate the vulnerability by sending crafted HTTP requests to exploit the widget_tabbedcontainer_tab_panel endpoint, executing arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin
No auth needed
Prerequisites: access to the target vBulletin instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by sunian19 · remote
https://github.com/sunian19/CVE-2019-16759

The repository contains a functional Python script that exploits CVE-2019-16759, an unauthenticated remote code execution vulnerability in vBulletin 5.x. The exploit sends a crafted POST request to the vulnerable endpoint to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.x
No auth needed
Prerequisites: Target running vBulletin 5.x · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by fxp0-4tx · remote
https://github.com/fxp0-4tx/CVE-2019-16759

The repository contains functional exploit scripts for CVE-2019-16759, a remote code execution vulnerability in vBulletin. The scripts leverage the widget_tabbedcontainer_tab_panel endpoint to inject PHP code via the subWidgets parameter, demonstrating RCE capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin (versions 5.0.0 through 5.5.4)
No auth needed
Prerequisites: Access to the vBulletin instance · Network connectivity to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by polar1s7 · remote
https://github.com/polar1s7/CVE-2019-16759-bypass

This repository contains a functional exploit for CVE-2019-16759, a remote code execution vulnerability in vBulletin. The exploit leverages a widget template injection to execute arbitrary PHP code, bypassing authentication and uploading a shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: vBulletin (versions affected by CVE-2019-16759)
No auth needed
Prerequisites: Target running vulnerable vBulletin instance · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by psychoxploit · poc
https://github.com/psychoxploit/vbull

This repository contains a functional exploit for CVE-2019-16759, a pre-authentication remote code execution vulnerability in vBulletin. The exploit is written in Python and targets vBulletin versions 5.0.0 through 5.5.4 by sending a crafted HTTP request to execute arbitrary commands.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 5.0.0 to 5.5.4
No auth needed
Prerequisites: Target list file with URLs in the format http://target.tld/ or http://target.tld/path/
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_widget_template_rce.rb

This Metasploit module exploits a logic bug in vBulletin 5.x template rendering to achieve remote code execution by bypassing filters via the 'widget_tabbedcontainer_tab_panel' template and 'widget_php' argument. It supports multiple payload types (Meterpreter, Unix CMD, Windows CMD) and includes a check method to verify vulnerability.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 5.x
No auth needed
Prerequisites: vBulletin 5.x installation with accessible /ajax/render/widget_tabbedcontainer_tab_panel endpoint
devstral-2 · analyzed Apr 24, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by unknown, mekhalleh (RAMELLA Sébastien) · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb

This Metasploit module exploits a remote command execution vulnerability in vBulletin 5.x through 5.5.4 via the widgetConfig[code] parameter in an ajax/render/widget_php POST request. It supports multiple payload types including Meterpreter (PHP In-Memory), Unix CMD, and Windows CMD.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.x through 5.5.4
No auth needed
Prerequisites: Network access to the target vBulletin instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

vBulletin 5.0.0-5.5.4 - Remote Command Execution
CRITICALVERIFIEDby madrobot
Shodan: http.component:"vBulletin" || http.html:"powered by vbulletin" || http.component:"vbulletin" || http.title:"powered by vbulletin" || cpe:"cpe:2.3:a:vbulletin:vbulletin"
FOFA: body="powered by vbulletin" || title="powered by vbulletin"

References (11)

Core 11
Core References
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://seclists.org/fulldisclosure/2019/Sep/31
Press/Media Coverage, Third Party Advisory x_refsource_misc
https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/155633/vBulletin-5.5.4-Remote-Command-Execution.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/158830/vBulletin-5.x-Remote-Code-Execution.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/158829/vBulletin-5.x-Remote-Code-Execution.html
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Aug/5
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/158866/vBulletin-5.x-Remote-Code-Execution.html

Scores

CVSS v3 9.8
EPSS 0.9443
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2019-10-09
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-7294
CWE
CWE-94
Status published
Products (1)
vbulletin/vbulletin 5.0.0 - 5.5.4
Published Sep 24, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026