The phpBB3 forum software contains a Phar deserialization vulnerability, which allows authenticated attackers to execute arbitrary PHP code on the server, potentially leading to a full site takeover. The vulnerability exploits the use of image editing software and file system functions in the software's admin control panel. An attacker must first upload a malicious Phar file to the target server, then predict the filename of the file by exploiting weaknesses in the file uploading process. Once the correct path is known, an attacker can trigger the Phar deserialization vulnerability and execute arbitrary PHP code on the server using POP gadgets. The phpBB3 security team has released a patch with version 3.2.4 to address this issue.