PatchSiren cyber security CVE debrief

CVE-2016-9421 Mybb CVE debrief

CVE-2016-9421 describes a cross-site scripting issue in the Users module of the MyBB Admin control panel. NVD rates it CVSS 3.0 6.1 (Medium) with network access, no privileges required, and user interaction required. The affected products listed in NVD are MyBB and MyBB Merge System through 1.8.7, and the vendor release notes for 1.8.8 indicate the fix was available in that release line.

Vendor: Mybb
Product: CVE-2016-9421
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-31
Original CVE updated: 2026-05-13
Advisory published: 2017-01-31
Advisory updated: 2026-05-13

Who should care

Administrators and operators running MyBB or MyBB Merge System 1.8.7 or earlier should care, especially anyone exposing the admin control panel to multiple trusted users or using workflows where ACP content can be influenced by lower-trust input.

Technical summary

NVD identifies the weakness as CWE-79 (Cross-site Scripting). The vulnerable area is the Users module in the Admin control panel, and the record indicates that remote attackers may be able to inject arbitrary web script or HTML through unspecified vectors. The CVSS vector in NVD is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which indicates network reachability, user interaction, and potential impact to confidentiality and integrity rather than availability.

Defensive priority

Medium. The issue is publicly documented, requires user interaction, and the affected versions are limited to 1.8.7 and earlier, but it can still enable session or content compromise in the admin interface if unpatched.

Recommended defensive actions

Upgrade MyBB and MyBB Merge System to 1.8.8 or later, as identified in the vendor release notes and NVD affected-version data.
Review admin control panel access paths and reduce exposure to only necessary administrative users.
Audit any custom templates, plugins, or admin-side extensions that may handle user-supplied fields in the Users module.
Apply routine content-encoding and output-escaping checks in any custom ACP code that renders user-controlled values.
Verify that the deployed version is no longer 1.8.7 or earlier across all instances, including merged or legacy environments.

Evidence notes

The vulnerability description and affected version range are taken from the supplied NVD-derived record. NVD lists CWE-79 and the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vendor advisory reference points to the MyBB 1.8.8 / Merge System 1.8.8 release notes dated 2016-10-17, and the CVE record was published on 2017-01-31. No exploit details are included in this debrief.

Official resources

CVE-2016-9421 CVE record
CVE.org
CVE-2016-9421 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Release Notes, Vendor Advisory

Publicly disclosed in the CVE record on 2017-01-31. The vendor release notes referenced by NVD are dated 2016-10-17.