Mybb Security Vulnerabilities

CVE-2024-23336

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the 127.0.0.0/8 block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's Disallowed Remote Addresses list...

CVE-2024-23335

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept .htaccess as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There.....

CVE-2023-45556

Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management...

CVE-2023-46251

MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (SCEditor) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active...

CVE-2020-22612

Installer RCE on settings file write in MyBB before...

CVE-2023-41362

MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within...

CVE-2023-28467

In MyBB before 1.8.34, there is XSS in the User CP module via the user email...

CVE-2022-45867

MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and...

CVE-2022-43709

MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter...

CVE-2022-43708

MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted...

CVE-2022-43707

MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored...

CVE-2022-39265

MyBB is a free and open source forum software. The Mail Settings ? Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The...

CVE-2022-24734

MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php with PHP code, executed on on Change Settings pages. This...

CVE-2021-43281

MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on....

CVE-2021-41866

MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped...

CVE-2021-39338

The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts,...

CVE-2020-19048

Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to...

CVE-2020-19049

Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to...

CVE-2021-27948

SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of...

CVE-2021-27947

SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of...

CVE-2021-27890

SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML...

CVE-2021-27949

Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator...

CVE-2021-27946

SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of...

CVE-2021-27889

Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing...

CVE-2021-27279

MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka...

CVE-2020-15139

In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private...

CVE-2014-3827

Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name...

CVE-2014-3826

Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields...

CVE-2019-20225

MyBB before 1.8.22 allows an open redirect on...

CVE-2019-12363

An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate (or usercp.php?action=mybb2fa&do=activate). A deactivate operation lowers the...

CVE-2019-12831

In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of...

CVE-2019-12830

In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode...

CVE-2019-3578

MyBB 1.8.19 has XSS in the resetpassword...

CVE-2019-3579

MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code...

CVE-2018-19202

A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]'...

CVE-2018-19201

A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username'...

CVE-2018-17128

A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video...

CVE-2018-15596

An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading.....

CVE-2018-1000502

MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must...

CVE-2018-1000503

MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in.....

CVE-2018-10678

MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection...

CVE-2018-7305

MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user...

CVE-2018-6844

MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum...

CVE-2017-16780

The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration...

CVE-2017-16781

The installer in MyBB before 1.8.13 has...

CVE-2017-8104

In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder...

CVE-2017-8103

In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover...

CVE-2017-7566

MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection...

CVE-2015-8976

Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade...

CVE-2016-9402

SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified...