Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.

Vanilla 2.1.6 released

LincLinc Detroit Vanilla Staff

This is an important security upgrade for all forums.

Download it:

7 file changed. See the code diff.


  • Security: Fixes an SQL injection vector.
  • Security: Adds a PDO option to harden against SQL injection.
  • Security: Improves the security of password resets by increasing token length and limiting them to 1 hour expiration.
  • Adds vBulletin 5.1 password hashing to allow seamless password migrations. All previous versions continue to be supported.

Thanks to the team at ZeniMax Online Studios for disclosing the password reset issue and SQL injection vector.



Sign In or Register to comment.