VYPR

Vendor CVEs

MyBB

All CVEs

216 total · sorted by risk
  • CVE-2017-8104MedApr 24, 2017
    risk 0.35cvss 5.3epss 0.03

    In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter.

  • CVE-2016-9411MedJan 31, 2017
    risk 0.35cvss 5.3epss 0.02

    The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails.

  • CVE-2021-47934MedMay 16, 2026
    risk 0.34cvss 5.3epss 0.00

    MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in…

  • CVE-2018-7305MedFeb 21, 2018
    risk 0.32cvss 4.9epss 0.00

    MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.

  • CVE-2011-10018Aug 13, 2025
    risk 0.08cvss epss 0.02

    myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging…

  • CVE-2008-0382Jan 22, 2008
    risk 0.06cvss epss 0.42

    Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.

  • CVE-2021-3337Jan 28, 2021
    risk 0.05cvss epss 0.11

    The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit.

  • CVE-2022-24734Mar 9, 2022
    risk 0.03cvss epss 0.78

    MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change…

  • CVE-2021-27946Mar 15, 2021
    risk 0.03cvss epss 0.04

    SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).

  • CVE-2021-27890Mar 15, 2021
    risk 0.03cvss epss 0.11

    SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.

  • CVE-2021-27889Mar 15, 2021
    risk 0.03cvss epss 0.05

    Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.

  • CVE-2018-14575Mar 17, 2019
    risk 0.03cvss epss 0.02

    Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.

  • CVE-2014-9241Dec 3, 2014
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title…

  • CVE-2014-9240Dec 3, 2014
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action.

  • CVE-2011-5278Apr 8, 2014
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in signature.php in Advanced Forum Signatures plugin (aka afsignatures) 2.0.4 for MyBB allows remote attackers to execute arbitrary SQL commands via the afs_bar_right parameter.

  • CVE-2011-5277Apr 8, 2014
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in signature.php in the Advanced Forum Signatures (aka afsignatures) plugin 2.0.4 for MyBB allow remote attackers to execute arbitrary SQL commands via the (1) afs_type, (2) afs_background, (3) afs_showonline, (4) afs_bar_left, (5)…

  • CVE-2013-6936Dec 4, 2013
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter.

  • CVE-2012-5909Nov 17, 2012
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php.

  • CVE-2012-5908Nov 17, 2012
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php.

  • CVE-2010-5096Aug 13, 2012
    risk 0.03cvss epss 0.06

    Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this…

  • CVE-2011-4569Nov 29, 2011
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in userbarsettings.php in the Userbar plugin 2.2 for MyBB Forum allows remote attackers to execute arbitrary SQL commands via the image2 parameter.

  • CVE-2009-4813Apr 27, 2010
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.

  • CVE-2009-2230Jun 26, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka MyBulletinBoard) before 1.4.7 allows remote authenticated users to execute arbitrary SQL commands via the birthdayprivacy parameter.

  • CVE-2008-6198Feb 20, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.

  • CVE-2008-0787Feb 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php.

  • CVE-2008-0383Jan 22, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a…

  • CVE-2007-2211Apr 24, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action.

  • CVE-2007-2212Apr 24, 2007
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained…

  • CVE-2007-1963Apr 11, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.

  • CVE-2007-1906Apr 10, 2007
    risk 0.03cvss epss 0.03

    Directory traversal vulnerability in richedit/keyboard.php in eCardMAX HotEditor (Hot Editor) 4.0, and the HotEditor plugin for MyBB, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the first parameter.

  • CVE-2006-3775Jul 24, 2006
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in the init function in class_session.php in MyBB (aka MyBulletinBoard) 1.1.5 allows remote attackers to execute arbitrary SQL commands via the CLIENT-IP HTTP header ($_SERVER['HTTP_CLIENT_IP'] variable), as utilized by index.php.

  • CVE-2006-2336May 12, 2006
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter.

  • CVE-2006-2070Apr 27, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in member.php in DevBB 1.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the member parameter in a viewpro action.

  • CVE-2006-1974Apr 21, 2006
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter.

  • CVE-2006-1912Apr 20, 2006
    risk 0.03cvss epss 0.02

    MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site…

  • CVE-2006-0470Jan 31, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in search.php in MyBulletinBoard (MyBB) 1.02 allows remote attackers to inject arbitrary web script or HTML via the (1) sortby and (2) sortordr parameters, which are not properly handled in a redirection.

  • CVE-2006-0442Jan 26, 2006
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are…

  • CVE-2005-3326Oct 27, 2005
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in usercp.php in MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the awayday parameter.

  • CVE-2005-2580Aug 16, 2005
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 with Security Patch allow remote attackers to execute arbitrary SQL commands via the Username field in (1) index.php or (2) member.php, action parameter to (3) search.php or (4) member.php, or (5)…

  • CVE-2023-53979Dec 22, 2025
    risk 0.00cvss epss 0.01

    MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language…

  • CVE-2023-53978Dec 22, 2025
    risk 0.00cvss epss 0.00

    myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the…

  • CVE-2023-53977Dec 22, 2025
    risk 0.00cvss epss 0.00

    myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the…

  • CVE-2023-53976Dec 22, 2025
    risk 0.00cvss epss 0.00

    myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in…

  • CVE-2025-48941Jun 2, 2025
    risk 0.00cvss epss 0.00

    MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title.…

  • CVE-2025-48940Jun 2, 2025
    risk 0.00cvss epss 0.00

    MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the…

  • CVE-2025-29459Apr 17, 2025
    risk 0.00cvss epss 0.00

    An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

  • CVE-2025-29460Apr 17, 2025
    risk 0.00cvss epss 0.00

    An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

  • CVE-2025-29458Apr 17, 2025
    risk 0.00cvss epss 0.00

    An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

  • CVE-2025-29457Apr 17, 2025
    risk 0.00cvss epss 0.00

    An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

  • CVE-2024-52702Nov 20, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter. NOTE: this is disputed by the Supplier because Website…

Page 2 of 5