PatchSiren cyber security CVE debrief

CVE-2015-8976 Mybb CVE debrief

CVE-2015-8976 is a cross-site scripting (XSS) issue in MyBB and MyBB Merge System that can let a remote attacker inject arbitrary web script or HTML through vectors related to old upgrade files. NVD rates the issue as medium severity (CVSS 6.1) with network access, low attack complexity, no privileges, and required user interaction. The affected versions listed in the corpus are MyBB before 1.6.18, MyBB 1.8.0 through 1.8.5, and MyBB Merge System before 1.8.6.

Vendor: Mybb
Product: CVE-2015-8976
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-31
Original CVE updated: 2026-05-13
Advisory published: 2017-01-31
Advisory updated: 2026-05-13

Who should care

Administrators running MyBB forums, teams maintaining MyBB Merge System deployments, and security responders responsible for reviewing legacy upgrade artifacts or public-facing web content should prioritize this issue.

Technical summary

The published record identifies CWE-79 (XSS). The vulnerability is tied to "old upgrade files," indicating that stale or exposed upgrade-related resources can be leveraged to inject script or HTML into a victim’s browser. NVD’s vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that exploitation is remotely reachable but depends on user interaction and has impact limited to confidentiality and integrity rather than availability. The corpus does not include exploit details or a deeper root-cause write-up, so the safest interpretation is that exposure of upgrade files or remnants from an older upgrade path can create an XSS entry point in affected releases.

Defensive priority

Medium. The issue is public, remotely reachable, and affects user-facing web applications, but it requires user interaction and is not rated as high severity in the supplied data.

Recommended defensive actions

Upgrade MyBB to 1.6.18 or later, and 1.8.x to 1.8.6 or later; upgrade MyBB Merge System to 1.8.6 or later.
Search for and remove or restrict access to any old upgrade files or other legacy installer/upgrade artifacts exposed on the web server.
Review affected forum pages and upgrade-related paths for unexpected script or HTML injection behavior.
If immediate upgrading is not possible, apply temporary access restrictions to legacy upgrade resources and monitor for anomalous requests.
Validate that deployment and backup processes do not reintroduce old upgrade files after remediation.

Evidence notes

All factual statements above are grounded in the supplied NVD record and the vendor release note reference. The corpus explicitly lists the affected version ranges, the CWE-79 classification, and the CVSS 3.0 vector. References include the MyBB release notes and security mailing list threads, but the corpus does not provide exploit code, proof-of-concept details, or additional technical root-cause analysis.

Official resources

CVE-2015-8976 CVE record
CVE.org
CVE-2015-8976 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory

Publicly disclosed in the CVE/NVD record with vendor release-note and mailing-list references; the supplied CVE metadata shows a published date of 2017-01-31T22:59:00.267Z and a later record modification on 2026-05-13T00:24:29.033Z.