Vendor CVEs
MyBB
All CVEs
216 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-8104 | Med | 0.35 | 5.3 | 0.03 | Apr 24, 2017 | In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter. | ||
| CVE-2016-9411 | Med | 0.35 | 5.3 | 0.02 | Jan 31, 2017 | The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails. | ||
| CVE-2021-47934 | Med | 0.34 | 5.3 | 0.00 | May 16, 2026 | MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in… | ||
| CVE-2018-7305 | Med | 0.32 | 4.9 | 0.00 | Feb 21, 2018 | MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts. | ||
| CVE-2011-10018 | 0.08 | — | 0.02 | Aug 13, 2025 | myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging… | |||
| CVE-2008-0382 | 0.06 | — | 0.42 | Jan 22, 2008 | Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php. | |||
| CVE-2021-3337 | 0.05 | — | 0.11 | Jan 28, 2021 | The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit. | |||
| CVE-2022-24734 | 0.03 | — | 0.78 | Mar 9, 2022 | MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change… | |||
| CVE-2021-27946 | 0.03 | — | 0.04 | Mar 15, 2021 | SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3). | |||
| CVE-2021-27890 | 0.03 | — | 0.11 | Mar 15, 2021 | SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. | |||
| CVE-2021-27889 | 0.03 | — | 0.05 | Mar 15, 2021 | Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages. | |||
| CVE-2018-14575 | 0.03 | — | 0.02 | Mar 17, 2019 | Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject. | |||
| CVE-2014-9241 | 0.03 | — | 0.03 | Dec 3, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title… | |||
| CVE-2014-9240 | 0.03 | — | 0.03 | Dec 3, 2014 | SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action. | |||
| CVE-2011-5278 | 0.03 | — | 0.01 | Apr 8, 2014 | SQL injection vulnerability in signature.php in Advanced Forum Signatures plugin (aka afsignatures) 2.0.4 for MyBB allows remote attackers to execute arbitrary SQL commands via the afs_bar_right parameter. | |||
| CVE-2011-5277 | 0.03 | — | 0.01 | Apr 8, 2014 | Multiple SQL injection vulnerabilities in signature.php in the Advanced Forum Signatures (aka afsignatures) plugin 2.0.4 for MyBB allow remote attackers to execute arbitrary SQL commands via the (1) afs_type, (2) afs_background, (3) afs_showonline, (4) afs_bar_left, (5)… | |||
| CVE-2013-6936 | 0.03 | — | 0.02 | Dec 4, 2013 | Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter. | |||
| CVE-2012-5909 | 0.03 | — | 0.01 | Nov 17, 2012 | SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php. | |||
| CVE-2012-5908 | 0.03 | — | 0.02 | Nov 17, 2012 | Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php. | |||
| CVE-2010-5096 | 0.03 | — | 0.06 | Aug 13, 2012 | Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this… | |||
| CVE-2011-4569 | 0.03 | — | 0.01 | Nov 29, 2011 | SQL injection vulnerability in userbarsettings.php in the Userbar plugin 2.2 for MyBB Forum allows remote attackers to execute arbitrary SQL commands via the image2 parameter. | |||
| CVE-2009-4813 | 0.03 | — | 0.01 | Apr 27, 2010 | Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action. | |||
| CVE-2009-2230 | 0.03 | — | 0.01 | Jun 26, 2009 | SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka MyBulletinBoard) before 1.4.7 allows remote authenticated users to execute arbitrary SQL commands via the birthdayprivacy parameter. | |||
| CVE-2008-6198 | 0.03 | — | 0.01 | Feb 20, 2009 | SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter. | |||
| CVE-2008-0787 | 0.03 | — | 0.01 | Feb 15, 2008 | SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php. | |||
| CVE-2008-0383 | 0.03 | — | 0.01 | Jan 22, 2008 | Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a… | |||
| CVE-2007-2211 | 0.03 | — | 0.01 | Apr 24, 2007 | SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action. | |||
| CVE-2007-2212 | 0.03 | — | 0.01 | Apr 24, 2007 | Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained… | |||
| CVE-2007-1963 | 0.03 | — | 0.01 | Apr 11, 2007 | SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775. | |||
| CVE-2007-1906 | 0.03 | — | 0.03 | Apr 10, 2007 | Directory traversal vulnerability in richedit/keyboard.php in eCardMAX HotEditor (Hot Editor) 4.0, and the HotEditor plugin for MyBB, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the first parameter. | |||
| CVE-2006-3775 | 0.03 | — | 0.02 | Jul 24, 2006 | SQL injection vulnerability in the init function in class_session.php in MyBB (aka MyBulletinBoard) 1.1.5 allows remote attackers to execute arbitrary SQL commands via the CLIENT-IP HTTP header ($_SERVER['HTTP_CLIENT_IP'] variable), as utilized by index.php. | |||
| CVE-2006-2336 | 0.03 | — | 0.01 | May 12, 2006 | SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter. | |||
| CVE-2006-2070 | 0.03 | — | 0.02 | Apr 27, 2006 | Cross-site scripting (XSS) vulnerability in member.php in DevBB 1.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the member parameter in a viewpro action. | |||
| CVE-2006-1974 | 0.03 | — | 0.01 | Apr 21, 2006 | SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter. | |||
| CVE-2006-1912 | 0.03 | — | 0.02 | Apr 20, 2006 | MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site… | |||
| CVE-2006-0470 | 0.03 | — | 0.02 | Jan 31, 2006 | Cross-site scripting (XSS) vulnerability in search.php in MyBulletinBoard (MyBB) 1.02 allows remote attackers to inject arbitrary web script or HTML via the (1) sortby and (2) sortordr parameters, which are not properly handled in a redirection. | |||
| CVE-2006-0442 | 0.03 | — | 0.02 | Jan 26, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are… | |||
| CVE-2005-3326 | 0.03 | — | 0.02 | Oct 27, 2005 | SQL injection vulnerability in usercp.php in MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the awayday parameter. | |||
| CVE-2005-2580 | 0.03 | — | 0.02 | Aug 16, 2005 | Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 with Security Patch allow remote attackers to execute arbitrary SQL commands via the Username field in (1) index.php or (2) member.php, action parameter to (3) search.php or (4) member.php, or (5)… | |||
| CVE-2023-53979 | 0.00 | — | 0.01 | Dec 22, 2025 | MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language… | |||
| CVE-2023-53978 | 0.00 | — | 0.00 | Dec 22, 2025 | myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the… | |||
| CVE-2023-53977 | 0.00 | — | 0.00 | Dec 22, 2025 | myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the… | |||
| CVE-2023-53976 | 0.00 | — | 0.00 | Dec 22, 2025 | myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in… | |||
| CVE-2025-48941 | 0.00 | — | 0.00 | Jun 2, 2025 | MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title.… | |||
| CVE-2025-48940 | 0.00 | — | 0.00 | Jun 2, 2025 | MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the… | |||
| CVE-2025-29459 | 0.00 | — | 0.00 | Apr 17, 2025 | An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. | |||
| CVE-2025-29460 | 0.00 | — | 0.00 | Apr 17, 2025 | An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. | |||
| CVE-2025-29458 | 0.00 | — | 0.00 | Apr 17, 2025 | An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. | |||
| CVE-2025-29457 | 0.00 | — | 0.00 | Apr 17, 2025 | An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. | |||
| CVE-2024-52702 | 0.00 | — | 0.00 | Nov 20, 2024 | A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter. NOTE: this is disputed by the Supplier because Website… |
- risk 0.35cvss 5.3epss 0.03
In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter.
- risk 0.35cvss 5.3epss 0.02
The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails.
- risk 0.34cvss 5.3epss 0.00
MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in…
- risk 0.32cvss 4.9epss 0.00
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
- CVE-2011-10018Aug 13, 2025risk 0.08cvss —epss 0.02
myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging…
- CVE-2008-0382Jan 22, 2008risk 0.06cvss —epss 0.42
Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.
- CVE-2021-3337Jan 28, 2021risk 0.05cvss —epss 0.11
The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit.
- CVE-2022-24734Mar 9, 2022risk 0.03cvss —epss 0.78
MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change…
- CVE-2021-27946Mar 15, 2021risk 0.03cvss —epss 0.04
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
- CVE-2021-27890Mar 15, 2021risk 0.03cvss —epss 0.11
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
- CVE-2021-27889Mar 15, 2021risk 0.03cvss —epss 0.05
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.
- CVE-2018-14575Mar 17, 2019risk 0.03cvss —epss 0.02
Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.
- CVE-2014-9241Dec 3, 2014risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title…
- CVE-2014-9240Dec 3, 2014risk 0.03cvss —epss 0.03
SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action.
- CVE-2011-5278Apr 8, 2014risk 0.03cvss —epss 0.01
SQL injection vulnerability in signature.php in Advanced Forum Signatures plugin (aka afsignatures) 2.0.4 for MyBB allows remote attackers to execute arbitrary SQL commands via the afs_bar_right parameter.
- CVE-2011-5277Apr 8, 2014risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in signature.php in the Advanced Forum Signatures (aka afsignatures) plugin 2.0.4 for MyBB allow remote attackers to execute arbitrary SQL commands via the (1) afs_type, (2) afs_background, (3) afs_showonline, (4) afs_bar_left, (5)…
- CVE-2013-6936Dec 4, 2013risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter.
- CVE-2012-5909Nov 17, 2012risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php.
- CVE-2012-5908Nov 17, 2012risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php.
- CVE-2010-5096Aug 13, 2012risk 0.03cvss —epss 0.06
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this…
- CVE-2011-4569Nov 29, 2011risk 0.03cvss —epss 0.01
SQL injection vulnerability in userbarsettings.php in the Userbar plugin 2.2 for MyBB Forum allows remote attackers to execute arbitrary SQL commands via the image2 parameter.
- CVE-2009-4813Apr 27, 2010risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.
- CVE-2009-2230Jun 26, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka MyBulletinBoard) before 1.4.7 allows remote authenticated users to execute arbitrary SQL commands via the birthdayprivacy parameter.
- CVE-2008-6198Feb 20, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.
- CVE-2008-0787Feb 15, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php.
- CVE-2008-0383Jan 22, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a…
- CVE-2007-2211Apr 24, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action.
- CVE-2007-2212Apr 24, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained…
- CVE-2007-1963Apr 11, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.
- CVE-2007-1906Apr 10, 2007risk 0.03cvss —epss 0.03
Directory traversal vulnerability in richedit/keyboard.php in eCardMAX HotEditor (Hot Editor) 4.0, and the HotEditor plugin for MyBB, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the first parameter.
- CVE-2006-3775Jul 24, 2006risk 0.03cvss —epss 0.02
SQL injection vulnerability in the init function in class_session.php in MyBB (aka MyBulletinBoard) 1.1.5 allows remote attackers to execute arbitrary SQL commands via the CLIENT-IP HTTP header ($_SERVER['HTTP_CLIENT_IP'] variable), as utilized by index.php.
- CVE-2006-2336May 12, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter.
- CVE-2006-2070Apr 27, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in member.php in DevBB 1.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the member parameter in a viewpro action.
- CVE-2006-1974Apr 21, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter.
- CVE-2006-1912Apr 20, 2006risk 0.03cvss —epss 0.02
MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site…
- CVE-2006-0470Jan 31, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in search.php in MyBulletinBoard (MyBB) 1.02 allows remote attackers to inject arbitrary web script or HTML via the (1) sortby and (2) sortordr parameters, which are not properly handled in a redirection.
- CVE-2006-0442Jan 26, 2006risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are…
- CVE-2005-3326Oct 27, 2005risk 0.03cvss —epss 0.02
SQL injection vulnerability in usercp.php in MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the awayday parameter.
- CVE-2005-2580Aug 16, 2005risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 with Security Patch allow remote attackers to execute arbitrary SQL commands via the Username field in (1) index.php or (2) member.php, action parameter to (3) search.php or (4) member.php, or (5)…
- CVE-2023-53979Dec 22, 2025risk 0.00cvss —epss 0.01
MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language…
- CVE-2023-53978Dec 22, 2025risk 0.00cvss —epss 0.00
myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the…
- CVE-2023-53977Dec 22, 2025risk 0.00cvss —epss 0.00
myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the…
- CVE-2023-53976Dec 22, 2025risk 0.00cvss —epss 0.00
myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in…
- CVE-2025-48941Jun 2, 2025risk 0.00cvss —epss 0.00
MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title.…
- CVE-2025-48940Jun 2, 2025risk 0.00cvss —epss 0.00
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the…
- CVE-2025-29459Apr 17, 2025risk 0.00cvss —epss 0.00
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
- CVE-2025-29460Apr 17, 2025risk 0.00cvss —epss 0.00
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
- CVE-2025-29458Apr 17, 2025risk 0.00cvss —epss 0.00
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
- CVE-2025-29457Apr 17, 2025risk 0.00cvss —epss 0.00
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
- CVE-2024-52702Nov 20, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter. NOTE: this is disputed by the Supplier because Website…
Page 2 of 5