MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the 127.0.0.0/8 block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's Disallowed Remote Addresses list...
5CVSS
7.6AI Score
0.001EPSS
MyBB is a free and open source forum software. The backup management module of the Admin CP may accept .htaccess as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There.....
4.7CVSS
7.1AI Score
0.0004EPSS
Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management...
5.4CVSS
7.4AI Score
0.0004EPSS
MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (SCEditor) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active...
6.1CVSS
6.1AI Score
0.001EPSS
9.8CVSS
7.4AI Score
0.001EPSS
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within...
7.2CVSS
7AI Score
0.001EPSS
6.1CVSS
6AI Score
0.001EPSS
MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and...
7.2CVSS
6.8AI Score
0.002EPSS
MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter...
4.9CVSS
5.3AI Score
0.001EPSS
MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted...
6.1CVSS
6AI Score
0.001EPSS
MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored...
6.1CVSS
5.9AI Score
0.001EPSS
MyBB is a free and open source forum software. The Mail Settings ? Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The...
7.2CVSS
7.1AI Score
0.004EPSS
MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php with PHP code, executed on on Change Settings pages. This...
7.2CVSS
7.2AI Score
0.254EPSS
MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on....
7.2CVSS
7.4AI Score
0.002EPSS
MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped...
5.4CVSS
5.2AI Score
0.001EPSS
The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts,...
4.8CVSS
4.8AI Score
0.001EPSS
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to...
5.4CVSS
6.3AI Score
0.001EPSS
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to...
5.4CVSS
6.3AI Score
0.001EPSS
7.2CVSS
7.9AI Score
0.001EPSS
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of...
7.2CVSS
7.9AI Score
0.001EPSS
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML...
8.8CVSS
9.1AI Score
0.002EPSS
6.1CVSS
6.7AI Score
0.001EPSS
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of...
8.8CVSS
9.1AI Score
0.002EPSS
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing...
6.1CVSS
6.6AI Score
0.002EPSS
5.4CVSS
5.2AI Score
0.001EPSS
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private...
6.1CVSS
6.1AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name...
5.4CVSS
5.9AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields...
5.4CVSS
5.9AI Score
0.001EPSS
6.1CVSS
6.7AI Score
0.001EPSS
An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate (or usercp.php?action=mybb2fa&do=activate). A deactivate operation lowers the...
8.8CVSS
7.4AI Score
0.002EPSS
In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of...
7.2CVSS
6.7AI Score
0.001EPSS
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode...
8.7CVSS
6AI Score
0.001EPSS
6.1CVSS
6.1AI Score
0.001EPSS
MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code...
5.3CVSS
6.6AI Score
0.002EPSS
A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]'...
6.1CVSS
6.1AI Score
0.001EPSS
A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username'...
6.1CVSS
6.1AI Score
0.001EPSS
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video...
5.4CVSS
5.1AI Score
0.005EPSS
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading.....
6.1CVSS
6.1AI Score
0.015EPSS
MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must...
7.2CVSS
6.9AI Score
0.002EPSS
MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in.....
4.3CVSS
6.8AI Score
0.001EPSS
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection...
6.1CVSS
6.8AI Score
0.001EPSS
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user...
4.9CVSS
6.9AI Score
0.001EPSS
5.4CVSS
5.9AI Score
0.001EPSS
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration...
9.8CVSS
9.7AI Score
0.046EPSS
5.4CVSS
5.5AI Score
0.005EPSS
In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder...
5.3CVSS
6.8AI Score
0.001EPSS
In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover...
6.1CVSS
6.8AI Score
0.001EPSS
7.7CVSS
6.9AI Score
0.004EPSS
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade...
6.1CVSS
6.3AI Score
0.002EPSS
SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified...
9.8CVSS
8.7AI Score
0.002EPSS