In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.
8.7CVSS
8.2AI Score
0.001EPSS
In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaa...
7.2CVSS
7.2AI Score
0.001EPSS
6.1CVSS
6.2AI Score
0.001EPSS
6.1CVSS
5.9AI Score
0.001EPSS
MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter.
5.3CVSS
5.5AI Score
0.002EPSS
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Me...
8.8CVSS
5.9AI Score
0.001EPSS
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.
5.4CVSS
5.2AI Score
0.001EPSS
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.
5.4CVSS
5.2AI Score
0.001EPSS
9.8CVSS
9.4AI Score
0.002EPSS
MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).
5.4CVSS
5.1AI Score
0.001EPSS
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.
6.1CVSS
6.6AI Score
0.004EPSS
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
8.8CVSS
9AI Score
0.002EPSS
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
8.8CVSS
9AI Score
0.002EPSS
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).
7.2CVSS
7.8AI Score
0.001EPSS
7.2CVSS
7.8AI Score
0.001EPSS
Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools.
6.1CVSS
6.7AI Score
0.001EPSS
MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.
5.4CVSS
5.1AI Score
0.001EPSS
MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on ...
7.2CVSS
7.4AI Score
0.002EPSS
MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php with PHP code, executed on on Change Settings pages. This results...
7.2CVSS
7.1AI Score
0.257EPSS
In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period.
6.1CVSS
6AI Score
0.001EPSS
MyBB is a free and open source forum software. The Mail Settings → Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vul...
7.2CVSS
7.1AI Score
0.008EPSS
MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data
6.1CVSS
6AI Score
0.001EPSS
MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name
6.1CVSS
6AI Score
0.001EPSS
MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.
4.9CVSS
5.3AI Score
0.001EPSS
MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution.
7.2CVSS
6.7AI Score
0.002EPSS
In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.
6.1CVSS
5.9AI Score
0.001EPSS
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.
7.2CVSS
7AI Score
0.002EPSS
Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.
5.4CVSS
5.8AI Score
0.0004EPSS
MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (SCEditor ) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g...
7.5CVSS
6.1AI Score
0.001EPSS
MyBB is a free and open source forum software. The backup management module of the Admin CP may accept .htaccess as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There a...
4.7CVSS
4.8AI Score
0.0004EPSS
MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the 127.0.0.0/8 block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's Disallowed Remote Addresses list ($config['disallowed_remote_addresses'...
5CVSS
7AI Score
0.001EPSS