The SonarSource R&D team discovered multiple security vulnerabilities in Codoforum, an open-source forum software developed in PHP. The vulnerabilities enable different attack vectors for a complete takeover of any Codoforum board with version <4.9 and are rated as critical. Two SQL Injection vulnerabilities were found, which allow an attacker to extract data from the database and gain Remote Code Execution on the targeted web server. A Path Traversal vulnerability was also discovered, which enables an unauthenticated attacker to download arbitrary files from the server, including sensitive configuration files. Additionally, a Persistent Cross-Site Scripting (XSS) vulnerability was found, which allows a low-privileged malicious user to inject a JavaScript payload into the admin backend, enabling the execution of arbitrary code on the targeted web server. The vulnerabilities were fixed by using prepared statements or integer typecasting, and it is recommended that Codoforum users update their installations to version 4.9 or later.