What is the CVSS score of EUVD-2025-16668?

EUVD-2025-16668 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by EUVD-2025-16668?

MyBB forum installations are vulnerable to local file inclusion attacks that could allow unauthorized access to sensitive system files.. A patch is available.

How to fix or mitigate EUVD-2025-16668?

Within 24 hours: Audit your environment to identify all MyBB installations and verify their versions; confirm whether install/index.php remains accessible and if the install/lock file is present. Within 7 days: Apply MyBB version 1.8.39 patch to all affected instances and verify the install directory is properly locked or restricted. Within 30 days: Conduct a security review of your forum deployment configuration and implement network-level access controls to limit exposure of administrative interfaces.

PHP EUVD-2025-16668

| CVE-2025-48940 HIGH

Path Traversal (CWE-22)

2025-06-02 security-advisories@github.com

PHP Information Disclosure Mybb

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 16:47 euvd

EUVD-2025-16668

Analysis Generated

Mar 14, 2026 - 16:47 vuln.today

Patch released

Mar 14, 2026 - 16:47 nvd

Patch available

CVE Published

Jun 02, 2025 - 16:15 nvd

HIGH 7.2

DescriptionGitHub Advisory

MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no install/lock file present) and the upgrade script must be accessible (by re-installing the forum via access to install/index.php; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.

AnalysisAI

MyBB versions prior to 1.8.39 contain a local file inclusion (LFI) vulnerability in the upgrade component due to improper input validation (CWE-22). This vulnerability allows authenticated administrators or unauthenticated attackers with access to an unlocked installer to read arbitrary files from the server filesystem. The vulnerability requires either the installer to be accessible via re-installation or the attacker to have administrative privileges, significantly limiting real-world exploitability despite the CVSS 7.2 score.

Technical ContextAI

MyBB is a PHP-based forum software platform. The vulnerability exists in the upgrade/installation component (install/index.php) which fails to properly sanitize user-supplied parameters before using them in file inclusion operations, leading to path traversal and local file inclusion (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The root cause is insufficient input validation in file path handling, allowing attackers to manipulate parameters to include arbitrary files outside the intended directory structure. The vulnerability is contingent upon the install/lock file being absent (indicating an unlocked installer state), suggesting the developers intended to restrict this attack surface post-installation but failed to implement proper controls during the upgrade process.

RemediationAI

Immediate patch: Upgrade MyBB to version 1.8.39 or later, which resolves the input validation issue in the upgrade component. 2. For unpatched systems pending upgrade: (a) Remove or rename the install/ directory entirely post-deployment to prevent any access to installation scripts; (b) Restrict access to install/index.php via web server configuration (.htaccess for Apache, nginx location blocks) using IP whitelisting or authentication; (c) Ensure install/lock file exists and is properly protected with restrictive file permissions (644 or similar); (d) Implement authentication/authorization checks at the web server level for any installer-related paths; (e) Monitor access logs for suspicious requests to install/index.php. 3. Long-term: Deploy automated security scanning to detect presence of installer files in production; implement configuration management to enforce removal of installer directories post-deployment.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

EUVD-2025-16668 vulnerability details – vuln.today

Back

PHP EUVD-2025-16668

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code