CVE-2015-8975 Mybb CVE debrief

Who should care

Administrators and developers running MyBB forums or the MyBB Merge System, especially if the site is internet-facing and users can reach error pages. Security teams responsible for web application patching and content-safety controls should also review it.

Technical summary

NVD classifies the weakness as CWE-79 and gives the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, no privileges required, and user interaction. The vulnerability is described as XSS in the error handler, with unspecified vectors in the public record. NVD lists affected CPEs for MyBB versions through 1.6.17 and 1.8.5, plus MyBB Merge System 1.8.5.

Defensive priority

Medium. The vulnerability can lead to script or HTML injection in a web context, so exposed forums should be updated promptly, but NVD does not mark it as KEV and no ransomware linkage is provided in the supplied corpus.

Recommended defensive actions

• Upgrade MyBB to 1.6.18 or later, or 1.8.6 or later, depending on your branch.
• Upgrade MyBB Merge System to 1.8.6 or later.
• Review any custom error-page handling, templates, or plugins that may echo untrusted input into HTML.
• Confirm that web application security controls such as output encoding and content security policies are in place where applicable.
• Inventory forum instances to ensure no unsupported or unpatched MyBB deployments remain online.

Evidence notes

This debrief is based on the supplied NVD record and the referenced vendor/advisory links only. NVD states the weakness is CWE-79 and lists affected versions through MyBB 1.6.17, MyBB 1.8.5, and MyBB Merge System 1.8.5. The vendor release notes reference fixed releases 1.6.18 and 1.8.6, and the CVE was published on 2017-01-31. The record was later modified on 2026-05-13; that modified date is not treated as the issue date.

Official resources