PT-2025-52715 · Unknown · Mybb Forums
Andrey Stoykov
·
Published
2025-12-22
·
Updated
2025-12-26
·
CVE-2023-53978
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
myBB Forums version 1.8.26
Description
myBB Forums version 1.8.26 has a stored cross-site scripting issue in the forum announcement system. Authenticated administrators can inject malicious scripts when creating announcements. Attackers can exploit this by inserting script payloads in the announcement title field through the 'Forums and Posts' > 'Forum Announcements' interface. This causes arbitrary JavaScript to execute when the announcement is displayed on the forum. The vulnerable parameter is the announcement title.
Recommendations
Administrators should avoid inserting script payloads in the announcement title field when adding announcements.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mybb Forums