Vendor CVEs
MyBB
All CVEs
216 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16780 | Cri | 0.67 | 9.8 | 0.06 | Nov 10, 2017 | The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file. | ||
| CVE-2015-8974 | Cri | 0.65 | 10.0 | 0.02 | Jan 31, 2017 | SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2017-14652 | Cri | 0.64 | 9.8 | 0.02 | Sep 21, 2017 | SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tapatalk plugin before 4.5.8 for MyBB allows an unauthenticated remote attacker to inject arbitrary SQL commands via an XML-RPC encoded document sent as part of the user registration process. | ||
| CVE-2016-9420 | Cri | 0.64 | 9.8 | 0.03 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives." | ||
| CVE-2016-9416 | Cri | 0.64 | 9.8 | 0.02 | Jan 31, 2017 | SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2016-9412 | Cri | 0.64 | 9.8 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy. | ||
| CVE-2016-9403 | Cri | 0.64 | 9.8 | 0.03 | Jan 31, 2017 | newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check. | ||
| CVE-2016-9402 | Cri | 0.64 | 9.8 | 0.02 | Jan 31, 2017 | SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2015-8973 | Hig | 0.54 | 8.3 | 0.02 | Jan 31, 2017 | xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password. | ||
| CVE-2017-7566 | Hig | 0.50 | 7.7 | 0.02 | Apr 6, 2017 | MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. | ||
| CVE-2016-9418 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name. | ||
| CVE-2016-9415 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import." | ||
| CVE-2016-9414 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories. | ||
| CVE-2016-9410 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates. | ||
| CVE-2015-8977 | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files. | ||
| CVE-2008-4929 | Hig | 0.49 | 7.5 | 0.02 | Nov 4, 2008 | MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames. | ||
| CVE-2016-9417 | Hig | 0.48 | 7.4 | 0.02 | Jan 31, 2017 | The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. | ||
| CVE-2018-25309 | Hig | 0.47 | 7.2 | 0.00 | Apr 29, 2026 | MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary… | ||
| CVE-2018-14392 | Med | 0.47 | 6.1 | 0.49 | Jul 19, 2018 | The New Threads plugin before 1.2 for MyBB has XSS. | ||
| CVE-2018-11502 | Med | 0.45 | 6.5 | 0.02 | Aug 24, 2018 | An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF. | ||
| CVE-2018-17128 | Med | 0.44 | 5.4 | 0.75 | Sep 17, 2018 | A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode. | ||
| CVE-2018-15596 | Med | 0.43 | 6.1 | 0.02 | Aug 28, 2018 | An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't… | ||
| CVE-2016-9413 | Med | 0.42 | 6.5 | 0.02 | Jan 31, 2017 | The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | ||
| CVE-2009-4449 | Med | 0.42 | 6.5 | 0.03 | Dec 29, 2009 | Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and… | ||
| CVE-2018-25250 | Hig | 0.40 | 7.2 | 0.00 | Apr 4, 2026 | MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that… | ||
| CVE-2018-25248 | Hig | 0.40 | 7.2 | 0.00 | Apr 4, 2026 | MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes… | ||
| CVE-2018-25247 | Med | 0.40 | 6.1 | 0.00 | Apr 4, 2026 | MyBB Like Plugin 3.0.0 contains a stored cross-site scripting vulnerability. Authenticated attackers can inject script payloads into post or thread subjects; when other users view a profile that displays the attacker's liked posts, the unsanitized subject is rendered, executing… | ||
| CVE-2021-47905 | Med | 0.40 | 6.1 | 0.00 | Jan 23, 2026 | MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons. | ||
| CVE-2018-25132 | Med | 0.40 | 6.1 | 0.00 | Jan 23, 2026 | MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget. | ||
| CVE-2018-25116 | Med | 0.40 | 6.1 | 0.00 | Jan 23, 2026 | MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution. | ||
| CVE-2018-10678 | Med | 0.40 | 6.1 | 0.01 | May 13, 2018 | MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks. | ||
| CVE-2017-8103 | Med | 0.40 | 6.1 | 0.01 | Apr 24, 2017 | In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event. | ||
| CVE-2016-9421 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2016-9419 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2016-9409 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs. | ||
| CVE-2016-9408 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users. | ||
| CVE-2016-9407 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs. | ||
| CVE-2016-9406 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2016-9405 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2016-9404 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login. | ||
| CVE-2015-8976 | Med | 0.40 | 6.1 | 0.01 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade files." | ||
| CVE-2015-8975 | Med | 0.40 | 6.1 | 0.02 | Jan 31, 2017 | Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2018-11715 | Med | 0.38 | 5.4 | 0.02 | Jun 4, 2018 | The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject. | ||
| CVE-2018-10580 | Med | 0.38 | 5.4 | 0.02 | May 11, 2018 | The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field. | ||
| CVE-2018-10365 | Med | 0.38 | 5.4 | 0.02 | May 1, 2018 | An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized. | ||
| CVE-2017-16781 | Med | 0.38 | 5.4 | 0.02 | Nov 10, 2017 | The installer in MyBB before 1.8.13 has XSS. | ||
| CVE-2018-14888 | Med | 0.36 | 6.1 | 0.04 | Aug 14, 2018 | inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject. | ||
| CVE-2018-25249 | Med | 0.35 | 6.4 | 0.00 | Apr 4, 2026 | MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other… | ||
| CVE-2018-11430 | Med | 0.35 | 5.4 | 0.01 | May 28, 2018 | An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. The XSS is located in the mod notes textarea. | ||
| CVE-2018-6844 | Med | 0.35 | 5.4 | 0.01 | Feb 8, 2018 | MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen. |
- risk 0.67cvss 9.8epss 0.06
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
- risk 0.65cvss 10.0epss 0.02
SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.02
SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tapatalk plugin before 4.5.8 for MyBB allows an unauthenticated remote attacker to inject arbitrary SQL commands via an XML-RPC encoded document sent as part of the user registration process.
- risk 0.64cvss 9.8epss 0.03
MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.
- risk 0.64cvss 9.8epss 0.03
newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.54cvss 8.3epss 0.02
xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.
- risk 0.50cvss 7.7epss 0.02
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import."
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.
- risk 0.49cvss 7.5epss 0.02
MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames.
- risk 0.48cvss 7.4epss 0.02
The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.
- risk 0.47cvss 7.2epss 0.00
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary…
- risk 0.47cvss 6.1epss 0.49
The New Threads plugin before 1.2 for MyBB has XSS.
- risk 0.45cvss 6.5epss 0.02
An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF.
- risk 0.44cvss 5.4epss 0.75
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
- risk 0.43cvss 6.1epss 0.02
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't…
- risk 0.42cvss 6.5epss 0.02
The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
- risk 0.42cvss 6.5epss 0.03
Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and…
- risk 0.40cvss 7.2epss 0.00
MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that…
- risk 0.40cvss 7.2epss 0.00
MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes…
- risk 0.40cvss 6.1epss 0.00
MyBB Like Plugin 3.0.0 contains a stored cross-site scripting vulnerability. Authenticated attackers can inject script payloads into post or thread subjects; when other users view a profile that displays the attacker's liked posts, the unsanitized subject is rendered, executing…
- risk 0.40cvss 6.1epss 0.00
MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons.
- risk 0.40cvss 6.1epss 0.00
MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget.
- risk 0.40cvss 6.1epss 0.00
MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.
- risk 0.40cvss 6.1epss 0.01
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.
- risk 0.40cvss 6.1epss 0.01
In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade files."
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.38cvss 5.4epss 0.02
The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject.
- risk 0.38cvss 5.4epss 0.02
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
- risk 0.38cvss 5.4epss 0.02
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
- risk 0.38cvss 5.4epss 0.02
The installer in MyBB before 1.8.13 has XSS.
- risk 0.36cvss 6.1epss 0.04
inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject.
- risk 0.35cvss 6.4epss 0.00
MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other…
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. The XSS is located in the mod notes textarea.
- risk 0.35cvss 5.4epss 0.01
MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.
Page 1 of 5