CVE-2016-9413 Mybb CVE debrief

Who should care

MyBB forum administrators, operators of MyBB Merge System deployments, and security teams responsible for any MyBB installation that may still be on a version earlier than 1.8.7.

Technical summary

NVD lists the issue under CWE-284 and maps it to CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. That combination is consistent with a network-reachable attack that depends on user interaction and can impact integrity, especially in an administrative web interface. The vulnerable products and version ranges in NVD are MyBB and MyBB Merge System up to and including 1.8.6.

Defensive priority

Medium

Recommended defensive actions

• Upgrade MyBB and MyBB Merge System to version 1.8.7 or later.
• Review any administrative pages that can be embedded or framed and apply clickjacking defenses where supported.
• Restrict access to the admin control panel to trusted users and networks where practical.
• Verify that forum administrators are aware of the risk of interacting with untrusted pages while authenticated to the admin interface.
• Confirm current deployment versions against the affected CPE ranges listed by NVD.

Evidence notes

The supplied NVD record states the vulnerability affects cpe:2.3:a:mybb:mybb and cpe:2.3:a:mybb:merge_system through version 1.8.6, with CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N and CWE-284. The record also cites a MyBB vendor advisory/release reference and Openwall mailing list references. NVD published the CVE record on 2017-01-31 and later modified it on 2026-05-13.

Official resources