CVE-2025-46171

MEDIUM

Vbulletin - Denial of Service

Title source: rule

Description

vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.

Exploits (1)

nomisec WRITEUP 4 stars

by oiyl · poc

https://github.com/oiyl/CVE-2025-46171

View Code ZIP pw:eip

References (2)

[Product] http://vbulletin.com

[Exploit, Mitigation, Third Party Advisory] https://github.com/oiyl/CVE-2025-46171

Scores

CVSS v3 5.4

EPSS 0.0017

EPSS Percentile 37.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (1)

vbulletin/vbulletin 3.8.7

Published Jul 23, 2025

Tracked Since Feb 18, 2026