CVE-2025-46171

MEDIUM

vBulletin 3.8.7 - Authenticated Denial of Service via Buddy List Processing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-46171. PoCs published by oiyl.

AI-analyzed exploit summary This repository describes a DoS vulnerability in vBulletin 3.x.x caused by an inefficient SQL query in the buddy list feature, which can be exploited by inflating the buddy list to overload the database.

Description

vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.

Exploits (1)

nomisec WRITEUP 4 stars

by oiyl · poc

https://github.com/oiyl/CVE-2025-46171

View Code ZIP pw:eip

This repository describes a DoS vulnerability in vBulletin 3.x.x caused by an inefficient SQL query in the buddy list feature, which can be exploited by inflating the buddy list to overload the database.

Classification

Writeup 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: vBulletin 3.8.7

Auth required

Prerequisites: Basic user account on the target vBulletin forum

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product

http://vbulletin.com

Exploit, Mitigation, Third Party Advisory

https://github.com/oiyl/CVE-2025-46171

Scores

CVSS v3 5.4

EPSS 0.0024

EPSS Percentile 14.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (1)

vbulletin/vbulletin 3.8.7

Published Jul 23, 2025

Tracked Since Feb 18, 2026