CVE-2025-48941

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.39

Description The search component in MyBB does not validate permissions correctly, allowing attackers to determine the existence of hidden threads, including draft, unapproved, or soft-deleted threads, by analyzing the search results. The mybb threads.visible integer column is not validated in internal search queries, which can be used to output a general success or failure of the search. This issue can be exploited by users with access to the search functionality and general access to forums containing the threads. The vulnerability does not expose the message content of posts.

Recommendations For MyBB versions prior to 1.8.39, update to version 1.8.39 to resolve the issue. As a temporary workaround, consider restricting access to the search functionality to minimize the risk of exploitation.