PatchSiren cyber security CVE debrief

CVE-2016-9402 Mybb CVE debrief

CVE-2016-9402 is a critical SQL injection vulnerability affecting MyBB and MyBB Merge System versions before 1.8.7. According to NVD, it can let a remote attacker execute arbitrary SQL commands through unspecified vectors in the moderation tool. Because the issue is network-accessible, requires no privileges, and has high impact to confidentiality, integrity, and availability, it should be treated as an urgent patching issue for any exposed installation.

Vendor: Mybb
Product: CVE-2016-9402
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-31
Original CVE updated: 2026-05-13
Advisory published: 2017-01-31
Advisory updated: 2026-05-13

Who should care

Administrators and operators of MyBB forums, especially instances running MyBB or MyBB Merge System 1.8.6 or earlier. Security teams responsible for internet-facing community platforms and any system that uses the moderation tool should prioritize this immediately.

Technical summary

NVD classifies the issue as CWE-89 (SQL Injection) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerable products listed in the supplied corpus are cpe:2.3:a:mybb:mybb and cpe:2.3:a:mybb:merge_system, both ending at version 1.8.6. The public description states that remote attackers might be able to execute arbitrary SQL commands via unspecified vectors in the moderation tool.

Defensive priority

Critical. The supplied CVSS score is 9.8 and the vector indicates no privileges, no user interaction, and full impact to confidentiality, integrity, and availability. Systems that are reachable over the network should be patched as soon as possible.

Recommended defensive actions

Upgrade MyBB and MyBB Merge System to 1.8.7 or later as indicated by the NVD vulnerable-version range and vendor release reference.
Confirm all deployed forum instances are no longer running 1.8.6 or earlier, including merged installations.
Review moderation-tool access paths and check application and database logs for unexpected queries or tampering around the disclosure window and after.
If immediate upgrading is not possible, reduce exposure of the affected administrative surface until remediation is complete.
After patching, validate database integrity and user/admin account states for signs of unauthorized changes.

Evidence notes

The vulnerability description, CVSS vector, weakness type, and affected version range were taken from the supplied NVD record. The record lists two official product criteria as vulnerable through 1.8.6. Reference links in the corpus include NVD, the CVE record, MyBB release notes, and Openwall mailing-list posts. The supplied corpus does not identify a more specific exploit path than 'unspecified vectors,' so this debrief avoids guessing at request parameters or code paths. The CVE was published on 2017-01-31; the 2026 modified timestamp reflects later record maintenance, not original disclosure.

Official resources

CVE-2016-9402 CVE record
CVE.org
CVE-2016-9402 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Release Notes, Vendor Advisory

Publicly disclosed in the CVE record on 2017-01-31, with mitigation and advisory references in the supplied corpus pointing to MyBB release notes and Openwall security mailing-list posts. The supplied data does not indicate KEV listing or a