Description
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browsers of all users viewing the index page.
Published: 2026-04-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MyBB Recent threads 17.0 contains a persistent cross‑site scripting vulnerability that allows malicious scripts to be injected via the thread subject field. Attackers create threads containing script tags, which are stored in the database and rendered unfiltered on the index page, enabling arbitrary JavaScript execution in the browsers of all users who view the index. The vulnerability is a stored XSS flaw (CWE‑79) that can lead to session hijacking, defacement, or data theft in the victim’s browser.

Affected Systems

The issue afflicts MyBB Recent threads, version 17.0. Users running this exact version are susceptible.

Risk and Exploitability

The CVSS score of 5.1 classifies it as medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need only the ability to create new threads, which most forum users possess, making exploitation straightforward. The vulnerability is saved on the server and then displayed to all visitors of the index page, providing a broad attack surface.

Generated by OpenCVE AI on April 30, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MyBB installation to a version where the cross‑site scripting fix has been applied.
  • If an upgrade is not immediately feasible, modify the thread creation logic to sanitize the subject field, e.g., by encoding or stripping HTML tags before storage.
  • Until a patch is applied, restrict or disable the ability to create threads from untrusted or anonymous accounts to reduce the opportunity for injection.

Generated by OpenCVE AI on April 30, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Dragonexpert
Dragonexpert recent Threads On Index
CPEs cpe:2.3:a:dragonexpert:recent_threads_on_index:17.0:*:*:*:*:mybb:*:*
Vendors & Products Dragonexpert
Dragonexpert recent Threads On Index

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browsers of all users viewing the index page.
Title MyBB Recent threads 17.0 Persistent Cross-Site Scripting
First Time appeared Mybb
Mybb mybb
Weaknesses CWE-79
CPEs cpe:2.3:a:mybb:mybb:17.0:*:*:*:*:*:*:*
Vendors & Products Mybb
Mybb mybb
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Dragonexpert Recent Threads On Index
Mybb Mybb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-30T13:07:56.870Z

Reserved: 2026-04-29T12:18:35.172Z

Link: CVE-2018-25309

cve-icon Vulnrichment

Updated: 2026-04-30T13:07:53.387Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T20:16:26.463

Modified: 2026-05-01T19:15:42.213

Link: CVE-2018-25309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:00:15Z

Weaknesses