Cillian Collins

#16621of 53,638
16.2Total CVSS
Vulnerabilities · 2
High
2
PT-2025-23535
7.2
2025-06-02
Mybb · Mybb · CVE-2025-48940
**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.39 **Description** The issue affects MyBB, free and open source forum software. It is caused by the upgrade component not validating user input properly, allowing attackers to perform local file inclusion (LFI) via a specially crafted parameter value. To exploit this, the installer must be unlocked and the upgrade script must be accessible, which can happen if the forum is re-installed via access to `install/index.php`, when the forum has not yet been installed, or the attacker is authenticated as a forum administrator. **Recommendations** For versions prior to 1.8.39, update to version 1.8.39 to resolve the issue. As a temporary workaround, consider restricting access to the upgrade script and ensuring the installer is locked by creating an `install/lock` file to minimize the risk of exploitation.
PT-2022-2581
9.0
2022-03-09
Mybb · Mybb · CVE-2022-24734
**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.30 **Description** The issue is related to the Admin CP's Settings management module, which does not validate setting types correctly on insertion and update. This allows an attacker to add settings of supported type `php` with PHP code, executed on Change Settings pages, resulting in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB's Settings module stores setting data in an options code string (`$options code`; `mybb settings.optionscode` database column) that identifies the setting type and its options, separated by a new line character (` `). The vulnerability can be exploited by remote attackers who have authentication access to the Control Panel. **Recommendations** For MyBB versions prior to 1.8.30, update to version 1.8.30 to resolve the issue. As a temporary workaround, consider restricting access to the Admin CP's Settings management module to minimize the risk of exploitation. Additionally, restrict the use of the `php` setting type until the issue is resolved.