Vendor
MyBB
MyBB, formerly MyBBoard and originally MyBulletinBoard, is a free and open-source forum software developed by the MyBB Group. It is written in PHP, supports MariaDB, MySQL, PostgreSQL and SQLite as database systems and, in addition, has database failover support. It is available in multiple languages and is licensed under the LGPL. The software allows users to facilitate community driven interaction through a MyBB instance.
Products
13
CVEs
106
Across products
1,114
Status
Private
Products
13- 1,082 CVEs
- 21 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
106| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-16780 | Cri | 0.67 | 9.8 | 0.02 | Nov 10, 2017 | The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file. | |
| CVE-2015-8974 | Cri | 0.65 | 10.0 | 0.04 | Jan 31, 2017 | SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2016-9420 | Cri | 0.64 | 9.8 | 0.01 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives." | |
| CVE-2016-9412 | Cri | 0.64 | 9.8 | 0.03 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy. | |
| CVE-2016-9403 | Cri | 0.64 | 9.8 | 0.05 | Jan 31, 2017 | newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check. | |
| CVE-2016-9402 | Cri | 0.64 | 9.8 | 0.04 | Jan 31, 2017 | SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2015-8973 | Hig | 0.54 | 8.3 | 0.00 | Jan 31, 2017 | xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password. | |
| CVE-2017-7566 | Hig | 0.50 | 7.7 | 0.01 | Apr 6, 2017 | MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. | |
| CVE-2016-9418 | Hig | 0.49 | 7.5 | 0.01 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name. | |
| CVE-2016-9410 | Hig | 0.49 | 7.5 | 0.01 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates. | |
| CVE-2015-8977 | Hig | 0.49 | 7.5 | 0.01 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files. | |
| CVE-2008-4929 | Hig | 0.49 | 7.5 | 0.01 | Nov 4, 2008 | MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames. | |
| CVE-2016-9417 | Hig | 0.48 | 7.4 | 0.01 | Jan 31, 2017 | The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. | |
| CVE-2018-25250 | Hig | 0.47 | 7.2 | 0.00 | Apr 4, 2026 | MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that execute when users visit the attacker's profile page. | |
| CVE-2018-25248 | Hig | 0.47 | 7.2 | 0.00 | Apr 4, 2026 | MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators validate the download in downloads.php. | |
| CVE-2018-25249 | Med | 0.42 | 6.4 | 0.00 | Apr 4, 2026 | MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment. | |
| CVE-2016-9413 | Med | 0.42 | 6.5 | 0.01 | Jan 31, 2017 | The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | |
| CVE-2009-4449 | Med | 0.42 | 6.5 | 0.01 | Dec 29, 2009 | Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php. | |
| CVE-2018-25247 | Med | 0.40 | 6.1 | 0.00 | Apr 4, 2026 | MyBB Like Plugin 3.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating posts or threads with unvalidated subject content. Attackers can craft post subjects containing script tags that execute when other users view the attacker's profile, where liked posts are displayed without sanitization. | |
| CVE-2021-47905 | Med | 0.40 | 6.1 | 0.00 | Jan 23, 2026 | MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons. |