Mybb
by MyBB
Source repositories
CVEs (180)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-4449 | Med | 0.42 | 6.5 | 0.03 | Dec 29, 2009 | Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and… | ||
| CVE-2018-10678 | Med | 0.40 | 6.1 | 0.01 | May 13, 2018 | MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks. | ||
| CVE-2017-8103 | Med | 0.40 | 6.1 | 0.01 | Apr 24, 2017 | In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event. | ||
| CVE-2016-9421 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2016-9419 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2016-9409 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs. | ||
| CVE-2016-9408 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users. | ||
| CVE-2016-9407 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs. | ||
| CVE-2016-9406 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2016-9405 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2016-9404 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login. | ||
| CVE-2015-8976 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade files." | ||
| CVE-2015-8975 | Med | 0.40 | 6.1 | 0.02 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2017-16781 | Med | 0.38 | 5.4 | 0.02 | Nov 10, 2017 | The installer in MyBB before 1.8.13 has XSS. | ||
| CVE-2018-6844 | Med | 0.35 | 5.4 | 0.01 | Feb 8, 2018 | MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen. | ||
| CVE-2017-8104 | Med | 0.35 | 5.3 | 0.03 | Apr 24, 2017 | In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter. | ||
| CVE-2016-9411 | Med | 0.35 | 5.3 | 0.02 | Jan 31, 2017 | The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails. | ||
| CVE-2021-47934 | Med | 0.34 | 5.3 | 0.00 | May 16, 2026 | MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in… | ||
| CVE-2018-7305 | Med | 0.32 | 4.9 | 0.00 | Feb 21, 2018 | MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts. | ||
| CVE-2011-10018 | 0.08 | — | 0.02 | Aug 13, 2025 | myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging… |
- risk 0.42cvss 6.5epss 0.03
Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and…
- risk 0.40cvss 6.1epss 0.01
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.
- risk 0.40cvss 6.1epss 0.01
In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade files."
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.38cvss 5.4epss 0.02
The installer in MyBB before 1.8.13 has XSS.
- risk 0.35cvss 5.4epss 0.01
MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.
- risk 0.35cvss 5.3epss 0.03
In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter.
- risk 0.35cvss 5.3epss 0.02
The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails.
- risk 0.34cvss 5.3epss 0.00
MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in…
- risk 0.32cvss 4.9epss 0.00
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
- CVE-2011-10018Aug 13, 2025risk 0.08cvss —epss 0.02
myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging…
Page 2 of 9