MyBB 1.8.22 published

MyBB 1.8.22 has been released. It’s a maintenance and security update.

What has changed?
5 security issues and 36 other issues have been resolved.

Fixed security issues:

  • High risk: Installer RCE on settings file write
  • Medium risk: Arbitrary upload paths & Local File Inclusion RCE
  • Medium risk: XSS via insufficient HTML sanitization of Blog feed & Extend data
  • Low risk: Open redirect on login
  • Low risk: SCEditor reflected XSS

Check Release Notes for a list of changes to language files, templates and unresolved issues.


MyBB 1.8.21 published

MyBB 1.8.21 has been published and is now available for download. It includes two high risk security fixes.

What has changed?
6 security breaches and 39 issues have been resolved.

Fixed security breaches:

  • High risk: Theme import stylesheet name RCE
  • High risk: Nested video MyCode persistent XSS
  • Medium risk: Find Orphaned Attachments reflected XSS
  • Medium risk: Post edit reflected XSS
  • Medium risk: Private Messaging folders SQL injection
  • Low risk: Potential phar deserialization through Upload Path

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Huge MyBB security update

MyBB 1.8.15 has been released and it does contain a huge number of security fixes. 10 low and medium security vulnerabilities have been addressed with the .15 release.

24 other issues have been resolved, including important permission issues with the delayed moderation feature.

You should update your forum to 1.8.15 as soon as possible. If you can not update soon, check your moderators permissions and remove the delayed moderation permission to be safe.

Note that the update script is required for the 1.8.15 update.

MyBB 1.8.9 fixes one low security risk

MyBB 1.8.9 is out and it does fix one low security risk.

It is possible to start a CSRF attack on MyBB 1.8.8 when removing subscriptions. 1.8.9 does fix that issue.

There have been 52 other reported issues fixed so updating your MyBB is highly recommended although it’s not that urgent.

The fixed issues include:

Continue reading MyBB 1.8.9 fixes one low security risk