cbcvebase.

Mybb vulnerabilities

140 known vulnerabilities affecting mybb/mybb.

Total CVEs
140
CISA KEV
0
Public exploits
18
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH42MEDIUM84LOW2

Vulnerabilities

Page 1 of 7
CVE-2022-24734P2HIGHCVSS 7.2PoC≥ 1.2.0, < 1.8.30v>= 1.2.0, < 1.8.302022-03-09
CVE-2022-24734 [HIGH] CWE-94 CVE-2022-24734: MyBB is a free and open source forum software. In affected versions the Admin CP's Settings manageme MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. Th
nvd
CVE-2011-10018P2CRITICALCVSS 9.8PoCv1.6.42025-08-13
CVE-2011-10018 [CRITICAL] CWE-94 CVE-2011-10018: myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The ba myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation require
nvd
CVE-2021-27890P2HIGHCVSS 8.8PoCfixed in 1.8.262021-03-15
CVE-2021-27890 [HIGH] CWE-89 CVE-2021-27890: SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
nvd
CVE-2017-16780P2CRITICALCVSS 9.8PoC≤ 1.8.122017-11-10
CVE-2017-16780 [CRITICAL] CWE-352 CVE-2017-16780: The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
nvd
CVE-2018-17128P3MEDIUMCVSS 5.4PoCfixed in 1.8.192018-09-17
CVE-2018-17128 [MEDIUM] CWE-79 CVE-2018-17128: A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode. A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
nvd
CVE-2021-27946P2HIGHCVSS 8.8PoCfixed in 1.8.262021-03-15
CVE-2021-27946 [HIGH] CWE-89 CVE-2021-27946: SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3). SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
nvd
CVE-2014-9240P3HIGHCVSS 7.5PoCv1.8.0v1.8.12014-12-03
CVE-2014-9240 [HIGH] CWE-89 CVE-2014-9240: SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows re SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action.
nvd
CVE-2010-5096P3HIGHCVSS 7.5PoC≤ 1.6.0v1.00+50 more2012-08-13
CVE-2010-5096 [HIGH] CWE-89 CVE-2010-5096: Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attac Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a
nvd
CVE-2008-0383P3HIGHCVSS 7.5PoC≤ 1.2.102008-01-22
CVE-2008-0383 [HIGH] CWE-89 CVE-2008-0383: Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and admini Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) adm
nvd
CVE-2015-8974P2CRITICALCVSS 10.0≤ 1.6.17v1.8.0+5 more2017-01-31
CVE-2015-8974 [CRITICAL] CWE-89 CVE-2015-8974: SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka M SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2012-5909P3HIGHCVSS 7.5PoCv1.6.62012-11-17
CVE-2012-5909 [HIGH] CWE-89 CVE-2012-5909: SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allo SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php.
nvd
CVE-2023-53979P2HIGHCVSS 8.8v1.8.32vMyBB 1.8.322025-12-22
CVE-2023-53979 [HIGH] CWE-22 CVE-2023-53979: MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avat MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface.
nvd
CVE-2007-1963P3HIGHCVSS 7.5PoC≤ 1.2.32007-04-11
CVE-2007-1963 [HIGH] CVE-2007-1963: SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulle SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.
nvd
CVE-2016-9402P2CRITICALCVSS 9.8≤ 1.8.62017-01-31
CVE-2016-9402 [CRITICAL] CWE-89 CVE-2016-9402: SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and My SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2021-27889P3MEDIUMCVSS 6.1PoCfixed in 1.8.262021-03-15
CVE-2021-27889 [MEDIUM] CWE-79 CVE-2021-27889: Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing mess Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.
nvd
CVE-2007-2212P3HIGHCVSS 7.5PoCv1.2.52007-04-24
CVE-2007-2212 [HIGH] CVE-2007-2212: Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earli Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
nvd
CVE-2016-9416P3CRITICALCVSS 9.8≤ 1.8.72017-01-31
CVE-2016-9416 [CRITICAL] CWE-89 CVE-2016-9416: SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2018-15596P3MEDIUMCVSS 6.1PoCv1.8.172018-08-28
CVE-2018-15596 [MEDIUM] CWE-79 CVE-2018-15596: An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading to XSS.
nvd
CVE-2017-7566P3HIGHCVSS 7.7≤ 1.8.102017-04-06
CVE-2017-7566 [HIGH] CWE-918 CVE-2017-7566: MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.
nvd
CVE-2015-8973P3HIGHCVSS 8.3≤ 1.6.17v1.8.0+5 more2017-01-31
CVE-2015-8973 [HIGH] CWE-284 CVE-2015-8973: xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.
nvd
Mybb vulnerabilities | cvebase