Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.
AnalysisAI
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP. Affected products include: Mybb. Version information: before 1.8.36.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
MyBB is a free and open source forum software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitabl
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration fi
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. Rated high severity (CVSS 8.8), this vulnerabilit
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. Rated high severity (
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [vide
Privilege escalation in MyBB 1.8.40 lets a limited Admin Control Panel (ACP) user who holds only the delegated user-mana
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. Rated high severity (CVSS 7.7), this
SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to ex
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. Rated h
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. Rated
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. Rated high sever
SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today