CVE-2016-9403 Mybb CVE debrief

Who should care

Administrators and operators of MyBB forums, sites running the MyBB Merge System, and teams responsible for public-facing web applications should treat this as urgent if any instance is still on 1.8.6 or earlier.

Technical summary

NVD lists vulnerable MyBB and MyBB Merge System versions up to and including 1.8.6. The issue is described as a missing permission check in newreply.php, which can let a remote attacker trigger unspecified impact. The NVD CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a severe remotely reachable flaw.

Defensive priority

Urgent

Recommended defensive actions

• Upgrade MyBB and MyBB Merge System to 1.8.7 or later.
• Verify that no public or internal systems are still running version 1.8.6 or earlier.
• Review access controls around reply and post-creation workflows, especially newreply.php.
• Inspect forum logs for abnormal or unauthorized reply activity.
• Use the vendor release notes and advisories referenced by NVD to confirm the fixed release path.

Evidence notes

Source material from NVD and the referenced vendor/advisory links states that MyBB and MyBB Merge System versions through 1.8.6 are vulnerable. The record was published on 2017-01-31 and references Openwall mailing list posts, a SecurityFocus entry, and MyBB 1.8.7 release notes as supporting material. The source description does not further specify the exact impact beyond 'unspecified impact.'

Official resources