CVE-2023-53894

CRITICAL 9.8

phpfm 1.7.9 Authentication Bypass via Type Juggling Vulnerability

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.

CWE	CWE-1390
Vendor	dulldusk
Product	phpfm
Published	Dec 16, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for dulldusk phpfm

Be the first to know when new critical vulnerabilities affecting dulldusk phpfm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Dulldusk / phpfm

1.7.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/51594 dulldusk.com: https://www.dulldusk.com/phpfm/ vulncheck.com: https://www.vulncheck.com/advisories/phpfm-authentication-bypass-via-type-juggling-vulnerability

Credits

thoughtfault