PatchSiren cyber security CVE debrief

CVE-2016-9412 Mybb CVE debrief

CVE-2016-9412 is a critical access-control weakness in MyBB and MyBB Merge System before 1.8.7. The reported issue centers on low entropy in adminsid and sid values, which can weaken identifier unpredictability and potentially allow unauthorized access paths. NVD rates the issue 9.8/CRITICAL with network attackability, no privileges, and no user interaction required.

Vendor: Mybb
Product: CVE-2016-9412
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-31
Original CVE updated: 2026-05-13
Advisory published: 2017-01-31
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running MyBB or MyBB Merge System versions 1.8.6 or earlier should prioritize this immediately, especially if the forum or merge system is internet-facing or used for privileged account management.

Technical summary

NVD classifies the weakness as CWE-284 (Improper Access Control). The vulnerable range covers MyBB and MyBB Merge System through 1.8.6, with the fix referenced by the vendor release notes for 1.8.7. The source description does not specify a single impact path, but the low-entropy adminsid and sid wording points to session or administrative identifier weakness rather than a memory-safety flaw.

Defensive priority

Urgent. Patch exposure to 1.8.7 or later and treat any unpatched deployment as high risk because the CVSS vector indicates remote, unauthenticated exploitation with high confidentiality, integrity, and availability impact.

Recommended defensive actions

Upgrade MyBB and MyBB Merge System to 1.8.7 or later as the primary remediation.
Inventory all forum and merge-system deployments, including test and legacy instances, to confirm whether versions 1.8.6 or earlier are present.
Review administrative access and session handling for suspicious logins or unexpected privilege changes around the affected period.
If compromise is suspected, invalidate active sessions and review privileged credentials and account states.
Limit exposure of administrative interfaces and monitor for abnormal authentication or identifier-guessing patterns until patching is complete.

Evidence notes

The supplied NVD data lists the affected CPE ranges as MyBB and MyBB Merge System through 1.8.6, assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and maps the weakness to CWE-284. Source references include the MyBB 1.8.7 / Merge System 1.8.7 release notes and OSS security mailing-list advisories, supporting the fix context. The description itself says the issue relates to low adminsid and sid entropy and does not provide a more specific exploit path.

Official resources

CVE-2016-9412 CVE record
CVE.org
CVE-2016-9412 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Release Notes, Vendor Advisory

Publicly disclosed in the CVE record on 2017-01-31. No CISA KEV entry is present in the supplied data.