CVE-2016-9418 Mybb CVE debrief

Who should care

Administrators running MyBB or MyBB Merge System on Windows, especially if ACP backup files are present or reachable on hosted web servers.

Technical summary

NVD classifies the flaw as CWE-200 and assigns CVSS 3.0 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The vulnerable CPEs cover MyBB and MyBB Merge System through 1.8.7, while the issue is tied to Windows-hosted deployments of these products rather than Microsoft Windows itself.

Defensive priority

High — unauthenticated network exposure with high confidentiality impact on administrative backup data.

Recommended defensive actions

• Upgrade MyBB and MyBB Merge System to version 1.8.8 or later.
• Confirm Windows-hosted instances are not running affected versions 1.8.7 or earlier.
• Review ACP backup storage and remove any backup material that should not be web-accessible.
• Restrict access to administrative backup paths and verify they are not exposed through the web server.
• Validate the deployment after upgrade and check for any residual disclosure of sensitive backup data.

Evidence notes

The NVD record states that MyBB and MyBB Merge System before 1.8.8 on Windows may expose sensitive information from ACP backups via a short-name-related vector. It also lists CWE-200 and CVSS 3.0 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), and marks MyBB/Merge System through 1.8.7 as vulnerable CPEs. The record references the MyBB 1.8.8/merge system 1.8.8 release note and OSS-security mailing list posts from 2016-10/11 as supporting material.

Official resources