MyBB
MyBB, formerly MyBBoard and originally MyBulletinBoard, is a free and open-source forum software developed by the MyBB Group. It is written in PHP, supports MariaDB, MySQL, PostgreSQL and SQLite as database systems and, in addition, has database failover support. It is available in multiple languages and is licensed under the LGPL. The software allows users to facilitate community driven interaction through a MyBB instance.
Products
35- 180 CVEs
- 25 CVEs
- 15 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- View all 35 products →
Recent CVEs
216| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16780 | Cri | 0.67 | 9.8 | 0.06 | Nov 10, 2017 | The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file. | ||
| CVE-2015-8974 | Cri | 0.65 | 10.0 | 0.02 | Jan 31, 2017 | SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2017-14652 | Cri | 0.64 | 9.8 | 0.02 | Sep 21, 2017 | SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tapatalk plugin before 4.5.8 for MyBB allows an unauthenticated remote attacker to inject arbitrary SQL commands via an XML-RPC encoded document sent as part of the user registration process. | ||
| CVE-2016-9420 | Cri | 0.64 | 9.8 | 0.03 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives." | ||
| CVE-2016-9416 | Cri | 0.64 | 9.8 | 0.02 | Jan 31, 2017 | SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2016-9412 | Cri | 0.64 | 9.8 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy. | ||
| CVE-2016-9403 | Cri | 0.64 | 9.8 | 0.03 | Jan 31, 2017 | newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check. | ||
| CVE-2016-9402 | Cri | 0.64 | 9.8 | 0.02 | Jan 31, 2017 | SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2015-8973 | Hig | 0.54 | 8.3 | 0.02 | Jan 31, 2017 | xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password. | ||
| CVE-2017-7566 | Hig | 0.50 | 7.7 | 0.02 | Apr 6, 2017 | MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. | ||
| CVE-2016-9418 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name. | ||
| CVE-2016-9415 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import." | ||
| CVE-2016-9414 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories. | ||
| CVE-2016-9410 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates. | ||
| CVE-2015-8977 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files. | ||
| CVE-2008-4929 | Hig | 0.49 | 7.5 | 0.02 | Nov 4, 2008 | MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames. | ||
| CVE-2016-9417 | Hig | 0.48 | 7.4 | 0.02 | Jan 31, 2017 | The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. | ||
| CVE-2018-25309 | Hig | 0.47 | 7.2 | 0.00 | Apr 29, 2026 | MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary… | ||
| CVE-2018-14392 | Med | 0.47 | 6.1 | 0.49 | Jul 19, 2018 | The New Threads plugin before 1.2 for MyBB has XSS. | ||
| CVE-2018-11502 | Med | 0.45 | 6.5 | 0.02 | Aug 24, 2018 | An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF. |
- risk 0.67cvss 9.8epss 0.06
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
- risk 0.65cvss 10.0epss 0.02
SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.02
SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tapatalk plugin before 4.5.8 for MyBB allows an unauthenticated remote attacker to inject arbitrary SQL commands via an XML-RPC encoded document sent as part of the user registration process.
- risk 0.64cvss 9.8epss 0.03
MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.
- risk 0.64cvss 9.8epss 0.03
newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.54cvss 8.3epss 0.02
xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.
- risk 0.50cvss 7.7epss 0.02
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import."
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames.
- risk 0.48cvss 7.4epss 0.02
The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.
- risk 0.47cvss 7.2epss 0.00
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary…
- risk 0.47cvss 6.1epss 0.49
The New Threads plugin before 1.2 for MyBB has XSS.
- risk 0.45cvss 6.5epss 0.02
An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF.