{"api_version":"1","generated_at":"2026-07-16T10:06:36+00:00","cve":"CVE-2016-5727","urls":{"html":"https://cve.report/CVE-2016-5727","api":"https://cve.report/api/cve/CVE-2016-5727.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-5727","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-5727"},"summary":{"title":"CVE-2016-5727","description":"LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop.","state":"PUBLISHED","assigner":"mitre","published_at":"2017-02-09 15:59:01","updated_at":"2025-04-20 01:37:25"},"problem_types":["CWE-94","n/a"],"metrics":[{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"8.8","severity":"HIGH","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.8","severity":"","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2016/06/10/7","name":"http://www.openwall.com/lists/oss-security/2016/06/10/7","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch","Third Party Advisory"],"title":"oss-security - Simple Machines Forums - PHP Object Injection","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2016/06/18/1","name":"http://www.openwall.com/lists/oss-security/2016/06/18/1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch","Third Party Advisory"],"title":"oss-security - Re: Simple Machines Forums - PHP Object Injection","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/SimpleMachines/SMF2.1/issues/3522","name":"https://github.com/SimpleMachines/SMF2.1/issues/3522","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"Fix CVE-2016-5727 PHP Object Injection Vulnerability · Issue #3522 · SimpleMachines/SMF2.1 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/SimpleMachines/SMF2.1/commit/19e560b9f3e8fc6d7d9d60c1ff617b5ed5c08008#diff-513c4f9c501cbefcc14420c01848f23c","name":"https://github.com/SimpleMachines/SMF2.1/commit/19e560b9f3e8fc6d7d9d60c1ff617b5ed5c08008#diff-513c4f9c501cbefcc14420c01848f23c","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"Apply safe_unserialize() · SimpleMachines/SMF2.1@19e560b · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-5727","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-5727","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"5727","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"simplemachines","cpe5":"simple_machines_forum","cpe6":"2.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T01:07:59.971Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/SimpleMachines/SMF2.1/issues/3522"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/SimpleMachines/SMF2.1/commit/19e560b9f3e8fc6d7d9d60c1ff617b5ed5c08008#diff-513c4f9c501cbefcc14420c01848f23c"},{"name":"[oss-security] 20160618 Re: Simple Machines Forums - PHP Object Injection","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2016/06/18/1"},{"name":"[oss-security] 20160610 Simple Machines Forums - PHP Object Injection","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2016/06/10/7"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2016-06-10T00:00:00.000Z","descriptions":[{"lang":"en","value":"LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-02-09T13:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/SimpleMachines/SMF2.1/issues/3522"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/SimpleMachines/SMF2.1/commit/19e560b9f3e8fc6d7d9d60c1ff617b5ed5c08008#diff-513c4f9c501cbefcc14420c01848f23c"},{"name":"[oss-security] 20160618 Re: Simple Machines Forums - PHP Object Injection","tags":["mailing-list","x_refsource_MLIST"],"url":"http://www.openwall.com/lists/oss-security/2016/06/18/1"},{"name":"[oss-security] 20160610 Simple Machines Forums - PHP Object Injection","tags":["mailing-list","x_refsource_MLIST"],"url":"http://www.openwall.com/lists/oss-security/2016/06/10/7"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2016-5727","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/SimpleMachines/SMF2.1/issues/3522","refsource":"CONFIRM","url":"https://github.com/SimpleMachines/SMF2.1/issues/3522"},{"name":"https://github.com/SimpleMachines/SMF2.1/commit/19e560b9f3e8fc6d7d9d60c1ff617b5ed5c08008#diff-513c4f9c501cbefcc14420c01848f23c","refsource":"CONFIRM","url":"https://github.com/SimpleMachines/SMF2.1/commit/19e560b9f3e8fc6d7d9d60c1ff617b5ed5c08008#diff-513c4f9c501cbefcc14420c01848f23c"},{"name":"[oss-security] 20160618 Re: Simple Machines Forums - PHP Object Injection","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2016/06/18/1"},{"name":"[oss-security] 20160610 Simple Machines Forums - PHP Object Injection","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2016/06/10/7"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2016-5727","datePublished":"2017-02-09T15:00:00.000Z","dateReserved":"2016-06-18T00:00:00.000Z","dateUpdated":"2024-08-06T01:07:59.971Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-02-09 15:59:01","lastModifiedDate":"2025-04-20 01:37:25","problem_types":["CWE-94","n/a"],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:simplemachines:simple_machines_forum:2.1:*:*:*:*:*:*:*","matchCriteriaId":"774F215A-067D-4597-9EA0-B5393F089062"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"5727","Ordinal":"1","Title":"CVE-2016-5727","CVE":"CVE-2016-5727","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"5727","Ordinal":"1","NoteData":"LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop.","Type":"Description","Title":"CVE-2016-5727"},{"CveYear":"2016","CveId":"5727","Ordinal":"2","NoteData":"2017-02-09","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"5727","Ordinal":"3","NoteData":"2017-02-09","Type":"Other","Title":"Modified"}]}}}