CVE-2016-9409 Mybb CVE debrief

Who should care

MyBB administrators, forum operators, and defenders responsible for web application hardening should care most, especially if staff use the Admin control panel or review pruning logs.

Technical summary

NVD maps the weakness to CWE-79 and gives CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerable products are MyBB and MyBB Merge System through 1.8.6, with the issue tied to pruning-log handling in the Admin control panel. The impact is script or HTML injection in an admin-facing context, which can lead to session compromise or unauthorized actions if a privileged user loads malicious content.

Defensive priority

Medium. Patch promptly on any exposed or actively administered MyBB deployment, because the issue targets privileged web workflows even though it requires user interaction.

Recommended defensive actions

• Update MyBB and MyBB Merge System to 1.8.7 or later.
• Restrict Admin control panel access to trusted administrators only.
• Review pruning-log workflows for unsafe HTML or script rendering.
• Clear or sanitize any stored log content that could be rendered in an admin session.
• Confirm forum staff are using secure browser and session protections.

Evidence notes

The source corpus includes the NVD CVE record, which states that MyBB and MyBB Merge System before 1.8.7 may allow arbitrary web script or HTML injection via pruning-log related vectors in the Admin control panel. The NVD record also lists affected CPEs through 1.8.6, CWE-79, the CVSS vector, and supporting references to MyBB release notes, oss-security mailing-list posts, and a SecurityFocus entry. This debrief relies on those supplied record details and reference URLs; it does not add claims from unfetched source content.

Official resources