{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25685", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "REJECTED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-05T15:21:44.156Z", "datePublished": "2026-04-05T20:45:33.893Z", "dateUpdated": "2026-04-19T12:36:07.579Z", "dateRejected": "2026-04-19T12:36:07.579Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-19T12:36:07.579Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25685", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "REJECTED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-05T15:21:44.156Z", "datePublished": "2026-04-05T20:45:33.893Z", "dateUpdated": "2026-04-19T12:36:07.579Z", "dateRejected": "2026-04-19T12:36:07.579Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-19T12:36:07.579Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "id": "CVE-2019-25685", "lastModified": "2026-04-19T13:16:33.777", "metrics": {}, "published": "2026-04-05T21:16:47.140", "references": [], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.2.3"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "phpBB", "source": "cna", "vendor": "phpBB"}, "product": "phpbb", "vendor": "phpbb"}], "analysis": {"en": {"generated_at": "2026-04-09T20:57:29.663605+00:00", "value": {"mitigation_remediation": ["Update phpBB to the latest patched version that resolves the phar deserialization issue.", "If immediate updating is not possible, disable the plupload attachment upload functionality or restrict it to a subset of trusted users until the patch is applied.", "Configure Imagick to reject unsafe operations or remove the imagick parameter from attachment settings to prevent deserialization of malicious objects."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via Arbitrary File Upload"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the phpBB forum software, specifically versions 3.2.3 and earlier. CPE data indicates that all releases of phpBB are susceptible, with the general exception of any fixed revisions released after the advisory.", "description_and_impact": "phpBB includes a flaw that permits authenticated users to upload crafted zip files containing serialized PHP objects that are deserialized by the imagick processing component. The deserialization triggers arbitrary code execution, giving the attacker the ability to run commands on the web server. The weakness is rooted in improper handling of file paths and untrusted input, classed under the Path Traversal category. The potential impact is full compromise of the PHP process and the underlying system, affecting confidentiality, integrity, and availability of the affected forum installation.", "risk_and_exploitability": "The CVSS base score is 8.7, indicating a high severity vulnerability. The EPSS score is under 1%, suggesting a low current exploit probability, and it is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with access to the attachment upload feature, and it depends on the application allowing the use of the phar:// stream wrapper and processing zip archives containing malicious objects. Once the conditions are met, the attacker can achieve remote code execution."}}}}, "created": "2026-04-06T20:22:32.348220+00:00", "updated": "2026-04-10T09:45:18.437816+00:00", "vendors": ["phpbb", "phpbb$PRODUCT$phpbb"]}