Security News > 2021 > March > Critical RCE Flaw Reported in MyBB Forum Software—Patch Your Sites

A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution without the need for prior access to a privileged account.
The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an update on March 10 addressing the issues.
MyBB, formerly MyBBoard and originally MyBulletinBoard, is free and open-source forum software developed using PHP and MySQL. According to internet assets search engine Spyse, there are at least 2,100 potentially vulnerable domains that have MyBB installed.
According to the researchers, the first issue - a nested auto URL persistent XSS vulnerability - stems from how MyBB parses messages containing URLs during the rendering process, thus enabling any unprivileged forum user to embed stored XSS payloads into threads, posts, and even private messages.
The second vulnerability concerns an SQL injection in a forum's theme manager that could result in an authenticated RCE. A successful exploitation occurs when a forum administrator with the "Can manage themes?" permission imports a maliciously crafted theme, or a user, for whom the theme has been set, visits a forum page.
"As soon as the administrator opens the private message, on his own trusted forum, the exploit triggers. An RCE vulnerability is automatically exploited in the background and leads to a full takeover of the targeted MyBB forum."
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/GZfyE8kIgrM/critical-rce-flaw-reported-in-mybb.html
Related news
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)