PatchSiren

PatchSiren cyber security CVE debrief

CVE-2015-8974 Mybb CVE debrief

CVE-2015-8974 is a critical SQL injection issue in the Group Promotions module of the MyBB admin control panel. The NVD record classifies it as network-reachable, unauthenticated, and high impact, with a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Affected builds include MyBB before 1.6.18, MyBB 1.8.x before 1.8.6, and MyBB Merge System before 1.8.6. The vendor release notes and later security mailing list references in the record point to fixed releases, so the safest interpretation is that this was a pre-auth SQL injection with full database compromise potential on vulnerable versions. Treat exposed admin installations as urgent patch candidates.

Vendor
Mybb
Product
CVE-2015-8974
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-31
Original CVE updated
2026-05-13
Advisory published
2017-01-31
Advisory updated
2026-05-13

Who should care

MyBB administrators, forum operators, hosting providers, and security teams responsible for MyBB or MyBB Merge System deployments—especially installations running any version earlier than 1.6.18 or 1.8.6.

Technical summary

The vulnerability is a CWE-89 SQL injection in the Group Promotions module inside the MyBB admin control panel. NVD lists vulnerable CPE ranges for MyBB 1.8.0 through 1.8.5, MyBB versions through 1.6.17, and MyBB Merge System through 1.8.5. Because the CVSS scope is changed and confidentiality, integrity, and availability impacts are all rated high, successful exploitation could allow arbitrary SQL commands and broad compromise of forum data.

Defensive priority

Critical. NVD assigns CVSS 10.0 and the issue affects remote attackers without requiring authentication or user interaction. Patch priority should be immediate for any internet-facing or actively managed MyBB deployment.

Recommended defensive actions

  • Upgrade MyBB to 1.6.18 or later, or to 1.8.6 or later for the 1.8 branch.
  • Upgrade MyBB Merge System to 1.8.6 or later if used.
  • Review the admin control panel for signs of SQL tampering, unexpected database changes, or privilege escalation.
  • Rotate credentials and assess database exposure if the vulnerable version was reachable by untrusted users.
  • Verify all forum instances, test environments, and bundled merge-system deployments; patch any lagging copies, not just production.
  • Use the vendor release notes and NVD entry to confirm fixed version baselines before reintroducing the service.

Evidence notes

The source corpus identifies CVE-2015-8974 as a SQL injection in the Group Promotions module of MyBB’s admin control panel, with affected versions before MyBB 1.6.18, MyBB 1.8.x before 1.8.6, and MyBB Merge System before 1.8.6. NVD lists CWE-89 and a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. References include the MyBB release notes (2015-09-07) and later Openwall security mailing list discussions from 2016, indicating the fix and disclosure trail documented in the record.

Official resources

Publicly documented through MyBB vendor release notes and later security mailing list / third-party advisory references, with the CVE record published in NVD on 2017-01-31.