VYPR

Vendor CVEs

MyBB

All CVEs

216 total · sorted by risk
  • CVE-2017-16780CriNov 10, 2017
    risk 0.67cvss 9.8epss 0.06

    The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.

  • CVE-2015-8974CriJan 31, 2017
    risk 0.65cvss 10.0epss 0.02

    SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2017-14652CriSep 21, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tapatalk plugin before 4.5.8 for MyBB allows an unauthenticated remote attacker to inject arbitrary SQL commands via an XML-RPC encoded document sent as part of the user registration process.

  • CVE-2016-9420CriJan 31, 2017
    risk 0.64cvss 9.8epss 0.03

    MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."

  • CVE-2016-9416CriJan 31, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-9412CriJan 31, 2017
    risk 0.64cvss 9.8epss 0.02

    MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.

  • CVE-2016-9403CriJan 31, 2017
    risk 0.64cvss 9.8epss 0.03

    newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check.

  • CVE-2016-9402CriJan 31, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2015-8973HigJan 31, 2017
    risk 0.54cvss 8.3epss 0.02

    xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.

  • CVE-2017-7566HigApr 6, 2017
    risk 0.50cvss 7.7epss 0.02

    MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.

  • CVE-2016-9418HigJan 31, 2017
    risk 0.49cvss 7.5epss 0.02

    MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name.

  • CVE-2016-9415HigJan 31, 2017
    risk 0.49cvss 7.5epss 0.02

    MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import."

  • CVE-2016-9414HigJan 31, 2017
    risk 0.49cvss 7.5epss 0.02

    MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories.

  • CVE-2016-9410HigJan 31, 2017
    risk 0.49cvss 7.5epss 0.02

    MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates.

  • CVE-2015-8977HigJan 31, 2017
    risk 0.49cvss 7.5epss 0.02

    MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.

  • CVE-2008-4929HigNov 4, 2008
    risk 0.49cvss 7.5epss 0.02

    MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames.

  • CVE-2016-9417HigJan 31, 2017
    risk 0.48cvss 7.4epss 0.02

    The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.

  • CVE-2018-25309HigApr 29, 2026
    risk 0.47cvss 7.2epss 0.00

    MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary…

  • CVE-2018-14392MedJul 19, 2018
    risk 0.47cvss 6.1epss 0.49

    The New Threads plugin before 1.2 for MyBB has XSS.

  • CVE-2018-11502MedAug 24, 2018
    risk 0.45cvss 6.5epss 0.02

    An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF.

  • CVE-2018-17128MedSep 17, 2018
    risk 0.44cvss 5.4epss 0.75

    A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.

  • CVE-2018-15596MedAug 28, 2018
    risk 0.43cvss 6.1epss 0.02

    An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't…

  • CVE-2016-9413MedJan 31, 2017
    risk 0.42cvss 6.5epss 0.02

    The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

  • CVE-2009-4449MedDec 29, 2009
    risk 0.42cvss 6.5epss 0.03

    Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and…

  • CVE-2018-25250HigApr 4, 2026
    risk 0.40cvss 7.2epss 0.00

    MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that…

  • CVE-2018-25248HigApr 4, 2026
    risk 0.40cvss 7.2epss 0.00

    MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes…

  • CVE-2018-25247MedApr 4, 2026
    risk 0.40cvss 6.1epss 0.00

    MyBB Like Plugin 3.0.0 contains a stored cross-site scripting vulnerability. Authenticated attackers can inject script payloads into post or thread subjects; when other users view a profile that displays the attacker's liked posts, the unsanitized subject is rendered, executing…

  • CVE-2021-47905MedJan 23, 2026
    risk 0.40cvss 6.1epss 0.00

    MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons.

  • CVE-2018-25132MedJan 23, 2026
    risk 0.40cvss 6.1epss 0.00

    MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget.

  • CVE-2018-25116MedJan 23, 2026
    risk 0.40cvss 6.1epss 0.00

    MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.

  • CVE-2018-10678MedMay 13, 2018
    risk 0.40cvss 6.1epss 0.01

    MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.

  • CVE-2017-8103MedApr 24, 2017
    risk 0.40cvss 6.1epss 0.01

    In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event.

  • CVE-2016-9421MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2016-9419MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2016-9409MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs.

  • CVE-2016-9408MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users.

  • CVE-2016-9407MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs.

  • CVE-2016-9406MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2016-9405MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2016-9404MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login.

  • CVE-2015-8976MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade files."

  • CVE-2015-8975MedJan 31, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2018-11715MedJun 4, 2018
    risk 0.38cvss 5.4epss 0.02

    The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject.

  • CVE-2018-10580MedMay 11, 2018
    risk 0.38cvss 5.4epss 0.02

    The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.

  • CVE-2018-10365MedMay 1, 2018
    risk 0.38cvss 5.4epss 0.02

    An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.

  • CVE-2017-16781MedNov 10, 2017
    risk 0.38cvss 5.4epss 0.02

    The installer in MyBB before 1.8.13 has XSS.

  • CVE-2018-14888MedAug 14, 2018
    risk 0.36cvss 6.1epss 0.04

    inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject.

  • CVE-2018-25249MedApr 4, 2026
    risk 0.35cvss 6.4epss 0.00

    MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other…

  • CVE-2018-11430MedMay 28, 2018
    risk 0.35cvss 5.4epss 0.01

    An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. The XSS is located in the mod notes textarea.

  • CVE-2018-6844MedFeb 8, 2018
    risk 0.35cvss 5.4epss 0.01

    MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.

Page 1 of 5