phpBB 2.0.6 and earlier has three security vulnerabilities:

BID-8570: XSS->phpBB 2.0.6 and earlier
CAN-2003-0486: SQL Injection-> phpBB 2.0.4
BID-7932: Script Injection->phpBB 2.0.0-2.0.4

There are workarounds available for all of these vulnerabilities. The most serious are CAN-2003-0486 which would allow an attacker to steal the hash of the password for the admin user and BID-7932 which allows an attacker to run arbitrary code.