GCVE - cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*

part: a version: 1.8.38 update: *

Vendor	Mybb (`8821e130-2590-5689-a7de-85bc65b3bdf4`)
Product	Mybb (`0a7c5598-1dcf-5314-89b1-60f621a820e9`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/mybb/mybb`	purl2cpe	2026-06-01 10:11:09.774181

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-29460`	vulnerable	2026-06-03 15:00:14.334331	Details available An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. Published: 2025-04-17T00:00:00.000Z Updated: 2025-04-23T13:04:01.605Z Open on db.gcve.eu Reference links https://www.yuque.com/morysummer/vx41bz/fgg059stiog457ch https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-29459`	vulnerable	2026-06-03 15:00:14.333939	Details available An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. Published: 2025-04-17T00:00:00.000Z Updated: 2025-04-23T13:02:24.406Z Open on db.gcve.eu Reference links https://www.yuque.com/morysummer/vx41bz/ggnmg5nnu635kvrc https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-29458`	vulnerable	2026-06-03 15:00:14.333532	Details available An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. Published: 2025-04-17T00:00:00.000Z Updated: 2025-04-23T13:01:06.479Z Open on db.gcve.eu Reference links https://www.yuque.com/morysummer/vx41bz/qu7zyyxr84qno64e https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-29457`	vulnerable	2026-06-03 15:00:14.333149	Details available An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. Published: 2025-04-17T00:00:00.000Z Updated: 2025-04-23T12:59:36.907Z Open on db.gcve.eu Reference links https://www.yuque.com/morysummer/vx41bz/vro4dvxzuiwlg6uv https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-52702`	vulnerable	2026-06-03 14:57:30.714587	Details available A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter. NOTE: this is disputed by the Supplier because Website Name can only be set by an administrator, who may use JavaScript if they wish. Published: 2024-11-20T00:00:00.000Z Updated: 2025-12-08T16:03:55.020Z Open on db.gcve.eu Reference links https://github.com/mybb/mybb/issues/4859 https://github.com/mybb/mybb/issues/4859#issuecomment-2468480756	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.