Simplemachines CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Simplemachines CVE published 2017-02-09

CVE-2016-5727

CVE-2016-5727 is a high-severity flaw in Simple Machines Forum (SMF) 2.1. NVD describes the issue as PHP object injection in LogInOut.php, with attacker-controlled variables used in a foreach loop leading to arbitrary PHP code execution. Because the attack is network-reachable and requires no privileges, internet-facing SMF 2.1 deployments should treat this as a priority fix.

CRITICAL Simplemachines CVE published 2017-02-09

CVE-2016-5726

CVE-2016-5726 is a critical remote code execution issue in Simple Machines Forum 2.1. The vulnerability is described as PHP object injection in Packages.php, reachable through the themechanges array parameter, with the potential to execute arbitrary PHP code.