CVE-2016-9407 Mybb CVE debrief

Who should care

MyBB forum operators, administrators, and security teams responsible for moderator control panel log handling should care, especially if users can view log data in a browser context.

Technical summary

The official NVD record identifies CWE-79 (cross-site scripting) and lists affected CPE criteria for MyBB and MyBB Merge System versions up to and including 1.8.6. The vulnerability is exposed through Mod control panel log vectors, which means untrusted content can become active script or HTML if it is not properly encoded when rendered. Because the CVSS vector includes UI:R, exploitation depends on a user opening the affected content.

Defensive priority

Medium. Patch promptly on any exposed MyBB or Merge System deployment, especially where moderator/admin log views are reachable in the browser.

Recommended defensive actions

• Upgrade MyBB and MyBB Merge System to 1.8.7 or later, as referenced by the vendor advisory.
• Treat mod control panel logs as untrusted input and ensure output encoding is applied wherever log content is rendered in HTML.
• Review any custom plugins or templates that display moderator log entries for improper HTML or script handling.
• Limit access to moderator control panel views and log pages to only the users who truly need them.
• If upgrade is delayed, inspect existing log content for injected markup and remove or neutralize unsafe entries before they are displayed.

Evidence notes

The supplied official record and NVD entry identify the issue as CVE-2016-9407, classify it as CWE-79, and provide the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The NVD CPE criteria in the source corpus mark MyBB and MyBB Merge System as vulnerable through version 1.8.6. The linked MyBB release advisory for 1.8.7 and the Openwall mailing list references corroborate the patch context.

Official resources