Mybb
by MyBB
Source repositories
CVEs (180)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16780 | Cri | 0.67 | 9.8 | 0.06 | Nov 10, 2017 | The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file. | ||
| CVE-2015-8974 | Cri | 0.65 | 10.0 | 0.02 | Jan 31, 2017 | SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2016-9420 | Cri | 0.64 | 9.8 | 0.03 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives." | ||
| CVE-2016-9416 | Cri | 0.64 | 9.8 | 0.02 | Jan 31, 2017 | SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2016-9412 | Cri | 0.64 | 9.8 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy. | ||
| CVE-2016-9403 | Cri | 0.64 | 9.8 | 0.03 | Jan 31, 2017 | newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check. | ||
| CVE-2016-9402 | Cri | 0.64 | 9.8 | 0.02 | Jan 31, 2017 | SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2015-8973 | Hig | 0.54 | 8.3 | 0.02 | Jan 31, 2017 | xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password. | ||
| CVE-2017-7566 | Hig | 0.50 | 7.7 | 0.02 | Apr 6, 2017 | MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. | ||
| CVE-2016-9418 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name. | ||
| CVE-2016-9415 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import." | ||
| CVE-2016-9414 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories. | ||
| CVE-2016-9410 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates. | ||
| CVE-2015-8977 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files. | ||
| CVE-2008-4929 | Hig | 0.49 | 7.5 | 0.02 | Nov 4, 2008 | MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames. | ||
| CVE-2016-9417 | Hig | 0.48 | 7.4 | 0.02 | Jan 31, 2017 | The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. | ||
| CVE-2018-25309 | Hig | 0.47 | 7.2 | 0.00 | Apr 29, 2026 | MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary… | ||
| CVE-2018-17128 | Med | 0.44 | 5.4 | 0.75 | Sep 17, 2018 | A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode. | ||
| CVE-2018-15596 | Med | 0.43 | 6.1 | 0.02 | Aug 28, 2018 | An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't… | ||
| CVE-2016-9413 | Med | 0.42 | 6.5 | 0.02 | Jan 31, 2017 | The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors. |
- risk 0.67cvss 9.8epss 0.06
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
- risk 0.65cvss 10.0epss 0.02
SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.03
MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.
- risk 0.64cvss 9.8epss 0.03
newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.54cvss 8.3epss 0.02
xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.
- risk 0.50cvss 7.7epss 0.02
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import."
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames.
- risk 0.48cvss 7.4epss 0.02
The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.
- risk 0.47cvss 7.2epss 0.00
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary…
- risk 0.44cvss 5.4epss 0.75
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
- risk 0.43cvss 6.1epss 0.02
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't…
- risk 0.42cvss 6.5epss 0.02
The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
Page 1 of 9