CVE-2025-48940

High CVSS: 7.2

MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.

Vendor

Mybb

Product

Mybb

CWE

CWE-22

Yayın Tarihi

2025-06-02 16:15:30

Güncelleme

2025-07-02 15:18:47

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Mybb HIGH Mybb 2025

Referanslar

https://github.com/mybb/mybb/commit/6e6cfbd524d9101b51e1278ecf520479b64b0f00 https://github.com/mybb/mybb/security/advisories/GHSA-q4jv-xwjx-37cp https://mybb.com/versions/1.8.39

Benzer Kayıtlar

Medium

CVE-2023-53976

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows au…

Medium

CVE-2023-53977

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authe…

Medium

CVE-2023-53978

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows aut…

High

CVE-2023-53979

MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictio…

Critical

CVE-2011-10018

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remot…

Medium

CVE-2025-48941

MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions…