CVE-2016-9404 Mybb CVE debrief

Who should care

Administrators and maintainers running MyBB or MyBB Merge System before 1.8.7, especially sites exposing login flows to untrusted users. Security teams responsible for forum platforms and web applications that embed or integrate these components should also review exposure.

Technical summary

The NVD record classifies the weakness as CWE-79 (cross-site scripting) and assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. That combination indicates a network-reachable issue that does not require privileges, but does require user interaction and can affect security boundaries. The affected CPEs in the record are MyBB and MyBB Merge System through version 1.8.6, with the issue described as tied to login-related vectors.

Defensive priority

Medium priority. The issue is publicly documented, affects commonly deployed forum software, and can lead to script or HTML injection in a user-facing authentication path. Remediation should be scheduled promptly if affected versions are still in use.

Recommended defensive actions

• Upgrade MyBB and MyBB Merge System to version 1.8.7 or later.
• Review login-related pages and templates for XSS exposure if upgrading is delayed.
• Validate that any reverse proxies, WAF rules, or templating changes do not reintroduce script injection risks.
• Check for any custom modifications around authentication or merge workflows that may need to be re-tested after patching.
• Confirm all exposed instances match the vulnerable version range in the NVD CPE criteria (through 1.8.6).

Evidence notes

All claims are limited to the supplied CVE/NVD metadata and the referenced vendor or advisory links listed in the source corpus. The record states the weakness type (CWE-79), affected products/versions, CVSS vector, and the login-related XSS description. No exploit details or unverified impact statements are included.

Official resources