CVE-2006-4677: PHP remote file inclusion vulnerability in contrib/yabbse/poc.php in phpopenchat before 3.0.2 allows remote attackers to execute arbitrary PHP code vi...

Description

PHP remote file inclusion vulnerability in contrib/yabbse/poc.php in phpopenchat before 3.0.2 allows remote attackers to execute arbitrary PHP code via the sourcedir parameter. NOTE: this issue was disputed by a third-party researcher who stated that the _REQUEST parameters were dynamically unset at the beginning of the file. Another researcher noted, and CVE agrees, that the unset PHP function can be bypassed (CVE-2006-3017). If this issue is due to a vulnerability in PHP, then it should be excluded from CVE

Metrics

EPSS Probability

1.51%

71.3th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Phpopenchat	Phpopenchat	<= 3.0.1
Phpopenchat	Phpopenchat	2.3.4
Phpopenchat	Phpopenchat	3.0.0

References

Timeline

Published: Sep 11, 2006
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2006-4677?

PHP remote file inclusion vulnerability in contrib/yabbse/poc.php in phpopenchat before 3.0.2 allows remote attackers to execute arbitrary PHP code via the sourcedir parameter. NOTE: this issue was disputed by a third-party researcher who stated that the _REQUEST parameters were dynamically unset at the beginning of the file. Another researcher noted, and CVE agrees, that the unset PHP function can be bypassed (CVE-2006-3017). If this issue is due to a vulnerability in PHP, then it should be excluded from CVE

How severe is CVE-2006-4677?

Severity scoring for CVE-2006-4677 is pending analysis. The EPSS model estimates a 1.51% probability of exploitation in the next 30 days.

How do I fix CVE-2006-4677?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.