Vulnerabilities in UBB.threads software

CVE ID	CVE-2026-54219
Publication date	18 June 2026
Vendor	UBB Systems
Product	UBB.threads
Vulnerable versions	All through 7.7.5
Vulnerability type (CWE)	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source	Report to CERT Polska
CVE ID	CVE-2026-54220
Publication date	18 June 2026
Vendor	UBB Systems
Product	UBB.threads
Vulnerable versions	All through 7.7.5
Vulnerability type (CWE)	Cross-Site Request Forgery (CSRF) (CWE-352)
Report source	Report to CERT Polska
CVE ID	CVE-2026-54221
Publication date	18 June 2026
Vendor	UBB Systems
Product	UBB.threads
Vulnerable versions	All through 7.7.5
Vulnerability type (CWE)	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source	Report to CERT Polska
CVE ID	CVE-2026-54222
Publication date	18 June 2026
Vendor	UBB Systems
Product	UBB.threads
Vulnerable versions	All through 7.7.5
Vulnerability type (CWE)	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Report source	Report to CERT Polska
CVE ID	CVE-2026-54223
Publication date	18 June 2026
Vendor	UBB Systems
Product	UBB.threads
Vulnerable versions	All through 7.7.5
Vulnerability type (CWE)	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Report source	Report to CERT Polska
CVE ID	CVE-2026-54224
Publication date	18 June 2026
Vendor	UBB Systems
Product	UBB.threads
Vulnerable versions	All through 7.7.5
Vulnerability type (CWE)	Asymmetric Resource Consumption (Amplification) (CWE-405)
Report source	Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in UBB Systems UBB.threads software and participated in coordination of their disclosure.

The vulnerability CVE-2026-54219: UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing.

The vulnerability CVE-2026-54220: uBB.threads is vulnerable to a Cross-Site Request Forgery (CSRF) due to a lack of protective mechanisms. This allows an attacker to trick an authenticated user into executing unintended actions.

The vulnerability CVE-2026-54221: UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, enabling attackers to execute arbitrary JavaScript in the context of a victim's browser by tricking them into clicking a crafted link.

The vulnerability CVE-2026-54222: UBB.threads is vulnerable to Blind SQL Injection, allowing attackers with access to the Members in Control Panel to interact with the underlying database. Due to insufficient input sanitization, an attacker can extract sensitive information, such as user credentials, by manipulating SQL queries through time-based or boolean-based techniques.

The vulnerability CVE-2026-54223: UBB.threads is vulnerable to Path traversal, allowing attackers with privilege to edit templates to read and write any file on the application’s server that application has privileges to, what results in Remote Code Execution.

The vulnerability CVE-2026-54224: UBB.threads is vulnerable to Denial of Service (DoS). By sending multiple concurrent requests to view any user profile on instances with many registered users, an authenticated attacker can easily exhaust database resources and completely deny access to the application for other users.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.

Credits

We thank Kamil Szczurowski and Michał Wnękowicz from Securitum for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.