CVE-2025-48940

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.39

Description The issue affects MyBB, free and open source forum software. It is caused by the upgrade component not validating user input properly, allowing attackers to perform local file inclusion (LFI) via a specially crafted parameter value. To exploit this, the installer must be unlocked and the upgrade script must be accessible, which can happen if the forum is re-installed via access to install/index.php, when the forum has not yet been installed, or the attacker is authenticated as a forum administrator.

Recommendations For versions prior to 1.8.39, update to version 1.8.39 to resolve the issue. As a temporary workaround, consider restricting access to the upgrade script and ensuring the installer is locked by creating an install/lock file to minimize the risk of exploitation.