VYPR

Mybb

by MyBB

Source repositories

CVEs (180)

  • CVE-2006-1912Apr 20, 2006
    risk 0.03cvss epss 0.02

    MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site…

  • CVE-2006-0470Jan 31, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in search.php in MyBulletinBoard (MyBB) 1.02 allows remote attackers to inject arbitrary web script or HTML via the (1) sortby and (2) sortordr parameters, which are not properly handled in a redirection.

  • CVE-2006-0442Jan 26, 2006
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are…

  • CVE-2005-3326Oct 27, 2005
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in usercp.php in MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the awayday parameter.

  • CVE-2023-53979Dec 22, 2025
    risk 0.00cvss epss 0.01

    MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language…

  • CVE-2023-53978Dec 22, 2025
    risk 0.00cvss epss 0.00

    myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the…

  • CVE-2025-48941Jun 2, 2025
    risk 0.00cvss epss 0.00

    MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title.…

  • CVE-2025-48940Jun 2, 2025
    risk 0.00cvss epss 0.00

    MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the…

  • CVE-2025-29460Apr 17, 2025
    risk 0.00cvss epss 0.00

    An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

  • CVE-2025-29458Apr 17, 2025
    risk 0.00cvss epss 0.00

    An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

  • CVE-2025-29457Apr 17, 2025
    risk 0.00cvss epss 0.00

    An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

  • CVE-2025-29459Apr 17, 2025
    risk 0.00cvss epss 0.00

    An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

  • CVE-2024-52702Nov 20, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter. NOTE: this is disputed by the Supplier because Website…

  • CVE-2024-23335May 1, 2024
    risk 0.00cvss epss 0.01

    MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are…

  • CVE-2024-23336May 1, 2024
    risk 0.00cvss epss 0.00

    MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list…

  • CVE-2023-46251Nov 6, 2023
    risk 0.00cvss epss 0.00

    MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual…

  • CVE-2023-45556Nov 6, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.

  • CVE-2020-22612Sep 1, 2023
    risk 0.00cvss epss 0.01

    Installer RCE on settings file write in MyBB before 1.8.22.

  • CVE-2023-41362Aug 29, 2023
    risk 0.00cvss epss 0.02

    MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.

  • CVE-2023-28467May 22, 2023
    risk 0.00cvss epss 0.01

    In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.

Page 4 of 9