GCVE - cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*

part: a version: 1.2 update: *

Vendor	Mybb (`8821e130-2590-5689-a7de-85bc65b3bdf4`)
Product	Mybb (`0a7c5598-1dcf-5314-89b1-60f621a820e9`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/mybb/mybb`	purl2cpe	2026-06-01 10:11:09.774059

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2018-25250`	vulnerable	2026-06-03 14:38:41.269953	MyBB Last User's Threads in Profile Plugin 1.2 Persistent XSS HIGH (7.2) MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that execute when users visit the attacker's profile page. Published: 2026-04-04T13:51:14.951Z Updated: 2026-05-24T01:36:16.005Z Open on db.gcve.eu Reference links https://www.exploit-db.com/exploits/44339 https://community.mybb.com/mods.php?action=view&pid=910 https://www.vulncheck.com/advisories/mybb-last-user-s-threads-in-profile-plugin-persistent-xss	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-7288`	vulnerable	2026-06-03 14:33:34.911345	Details available Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs. Published: 2014-01-10T16:00:00.000Z Updated: 2024-09-17T01:50:54.525Z Open on db.gcve.eu Reference links https://github.com/mybb/mybb/commit/238696e37d6a22b89e6bba11e4de3e6620cb5547 http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release http://secunia.com/advisories/55945 http://www.securityfocus.com/bid/64570 http://osvdb.org/show/osvdb/101544	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-7275`	vulnerable	2026-06-03 14:33:34.749803	Details available Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup. Published: 2014-01-08T15:00:00.000Z Updated: 2024-09-16T19:45:42.403Z Open on db.gcve.eu Reference links https://github.com/mybb/mybb/commit/6212bc954d72caf591e141ca36b8df964387bee8 http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release http://secunia.com/advisories/55945 http://www.securityfocus.com/bid/64570 http://osvdb.org/101545	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-5133`	vulnerable	2026-06-03 14:31:27.955076	Details available Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and attack vectors, related to an "unparsed user avatar in the buddy list." Published: 2012-08-30T22:00:00.000Z Updated: 2024-09-17T00:51:26.797Z Open on db.gcve.eu Reference links http://secunia.com/advisories/46951 http://www.osvdb.org/77325 http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/ http://www.securityfocus.com/bid/50816	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-5132`	vulnerable	2026-06-03 14:31:27.953641	Details available Cross-site scripting (XSS) vulnerability in MyBB before 1.6.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to "usernames via AJAX." Published: 2012-08-30T22:00:00.000Z Updated: 2024-08-07T00:23:40.249Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/71461 http://secunia.com/advisories/46951 http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/ http://www.securityfocus.com/bid/50816 http://www.osvdb.org/77326	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-5131`	vulnerable	2026-06-03 14:31:27.933534	Details available Cross-site request forgery (CSRF) vulnerability in global.php in MyBB before 1.6.5 allows remote attackers to hijack the authentication of a user for requests that change the user's language via the language parameter. Published: 2012-08-30T22:00:00.000Z Updated: 2024-08-07T00:23:40.140Z Open on db.gcve.eu Reference links http://dev.mybb.com/issues/1729 http://www.osvdb.org/77327 http://secunia.com/advisories/46951 https://exchange.xforce.ibmcloud.com/vulnerabilities/71462 http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2010-5096`	vulnerable	2026-06-03 14:30:45.128652	Details available Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error. Published: 2012-08-13T23:00:00.000Z Updated: 2024-09-17T04:10:28.021Z Open on db.gcve.eu Reference links http://www.osvdb.org/70014 http://dev.mybb.com/issues/1330 http://www.openwall.com/lists/oss-security/2012/05/08/7 http://www.osvdb.org/70013 http://www.securityfocus.com/bid/45565	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2010-4629`	vulnerable	2026-06-03 14:30:42.930289	Details available MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to usercp.php and managegroup.php. Published: 2010-12-30T20:00:00.000Z Updated: 2024-08-07T03:51:17.935Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/64513 http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/ http://openwall.com/lists/oss-security/2010/10/08/7 http://dev.mybboard.net/projects/mybb/repository/revisions/4856 http://openwall.com/lists/oss-security/2010/10/11/8	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2010-4628`	vulnerable	2026-06-03 14:30:42.929135	Details available member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain superfluous call to the SQL COUNT function, which allows remote attackers to cause a denial of service (resource consumption) by making requests to member.php that trigger scans of the entire users table. Published: 2010-12-30T20:00:00.000Z Updated: 2024-08-07T03:51:17.919Z Open on db.gcve.eu Reference links http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/ http://openwall.com/lists/oss-security/2010/10/08/7 http://openwall.com/lists/oss-security/2010/10/11/8 https://exchange.xforce.ibmcloud.com/vulnerabilities/64514 http://openwall.com/lists/oss-security/2010/12/06/2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2010-4627`	vulnerable	2026-06-03 14:30:42.927934	Details available Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB (aka MyBulletinBoard) before 1.4.12 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Published: 2010-12-30T20:00:00.000Z Updated: 2024-08-07T03:51:17.971Z Open on db.gcve.eu Reference links http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/ http://openwall.com/lists/oss-security/2010/10/08/7 http://openwall.com/lists/oss-security/2010/10/11/8 http://dev.mybboard.net/issues/852 http://openwall.com/lists/oss-security/2010/12/06/2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2010-4626`	vulnerable	2026-06-03 14:30:42.926796	Details available The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account's password, and then conducting a brute-force attack. Published: 2010-12-30T20:00:00.000Z Updated: 2024-08-07T03:51:17.916Z Open on db.gcve.eu Reference links http://dev.mybboard.net/issues/843 http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/ http://openwall.com/lists/oss-security/2010/10/08/7 https://exchange.xforce.ibmcloud.com/vulnerabilities/64516 http://dev.mybboard.net/projects/mybb/repository/revisions/4872	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2010-4625`	vulnerable	2026-06-03 14:30:42.925443	Details available MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page. Published: 2010-12-30T20:00:00.000Z Updated: 2024-08-07T03:51:17.744Z Open on db.gcve.eu Reference links http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/ http://dev.mybboard.net/issues/809 http://openwall.com/lists/oss-security/2010/10/08/7 http://openwall.com/lists/oss-security/2010/10/11/8 http://openwall.com/lists/oss-security/2010/12/06/2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2010-4624`	vulnerable	2026-06-03 14:30:42.912809	Details available MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated users to bypass intended restrictions on the number of [img] MyCodes by editing a post after it has been created. Published: 2010-12-30T20:00:00.000Z Updated: 2024-08-07T03:51:17.658Z Open on db.gcve.eu Reference links http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/ http://dev.mybboard.net/issues/728 http://openwall.com/lists/oss-security/2010/10/08/7 http://openwall.com/lists/oss-security/2010/10/11/8 http://openwall.com/lists/oss-security/2010/12/06/2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-3967`	vulnerable	2026-06-03 14:28:56.594131	Details available moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not properly check for moderator privileges, which has unknown impact and remote attack vectors. Published: 2008-09-10T15:00:00.000Z Updated: 2024-08-07T10:00:42.598Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2008/09/09/1 http://secunia.com/advisories/31760 http://community.mybboard.net/showthread.php?tid=36022 http://www.securityfocus.com/bid/31104 http://community.mybboard.net/attachment.php?aid=10579	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-3966`	vulnerable	2026-06-03 14:28:56.593163	Details available Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via (1) a certain referrer field in usercp2.php, (2) a certain location field in inc/functions_online.php, and certain (3) tsubject and (4) psubject fields in moderation.php. Published: 2008-09-10T15:00:00.000Z Updated: 2024-08-07T10:00:42.292Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2008/09/09/1 http://secunia.com/advisories/31760 http://community.mybboard.net/showthread.php?tid=36022 http://www.securityfocus.com/bid/31104 http://community.mybboard.net/attachment.php?aid=10579	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-3965`	vulnerable	2026-06-03 14:28:56.590082	Details available SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field. Published: 2008-09-10T15:00:00.000Z Updated: 2024-08-07T10:00:42.125Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2008/09/09/1 http://secunia.com/advisories/31760 http://community.mybboard.net/showthread.php?tid=36022 http://www.securityfocus.com/bid/31104 http://community.mybboard.net/attachment.php?aid=10579	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.