These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2016-9413 describes a clickjacking issue in the MyBB Admin control panel, affecting MyBB and MyBB Merge System versions before 1.8.7. NVD rates it MEDIUM severity (CVSS 6.5) and notes that successful exploitation requires user interaction. The main risk is tricking an authenticated admin into performing unintended actions through a crafted external page or frame-based attack path.
CVE-2016-9412 is a critical access-control weakness in MyBB and MyBB Merge System before 1.8.7. The reported issue centers on low entropy in adminsid and sid values, which can weaken identifier unpredictability and potentially allow unauthorized access paths. NVD rates the issue 9.8/CRITICAL with network attackability, no privileges, and no user interaction required.
CVE-2016-9411 is an information-disclosure issue in MyBB and MyBB Merge System before 1.8.7. According to the NVD record, a remote attacker could learn the installation path through mail-related vectors in the Admin control panel. The issue is rated medium severity (CVSS 5.3) and maps to CWE-200. The practical fix is to move affected deployments to 1.8.7 or later and confirm that older releases are no longer exposed.
CVE-2016-9410 is a high-severity information disclosure issue affecting MyBB (MyBulletinBoard) and MyBB Merge System before 1.8.7. The public record says remote attackers might obtain sensitive database information through template-related vectors. NVD maps the weakness to CWE-200 and rates the issue as network-exploitable with no privileges or user interaction required.
CVE-2016-9409 is a cross-site scripting issue in the MyBB and MyBB Merge System Admin control panel, affecting versions before 1.8.7. The NVD record describes vectors involving pruning logs, and classifies the issue as medium severity with network access and user interaction required.
CVE-2016-9408 is a cross-site scripting issue in the MyBB Mod control panel and MyBB Merge System before 1.8.7. The NVD record says remote attackers may inject arbitrary web script or HTML through user-editing vectors, and the vulnerability is classified as CWE-79.
CVE-2016-9407 is a cross-site scripting (XSS) vulnerability in MyBB and MyBB Merge System before 1.8.7. According to the official record, remote attackers could inject arbitrary web script or HTML through vectors involving Mod control panel logs. The NVD entry rates the issue as CVSS 3.0 6.1 (Medium) with network attack, low confidentiality and integrity impact, no availability impact, and user interaction required.
CVE-2016-9406 is a cross-site scripting (XSS) issue in the MyBB user control panel. According to the public record, it affects MyBB and MyBB Merge System before 1.8.7 and may allow a remote attacker to inject arbitrary web script or HTML through unspecified vectors. NVD classifies it as CWE-79 with network attackability, no privileges required, but user interaction required.
CVE-2016-9405 is a cross-site scripting issue in MyBB and MyBB Merge System member validation. The NVD record classifies it as medium severity and identifies affected versions through 1.8.6. Because the flaw can let an attacker inject script or HTML, administrators should treat any exposed validation workflow as sensitive until patched.
CVE-2016-9404 is a cross-site scripting (XSS) issue affecting MyBB and MyBB Merge System versions before 1.8.7. The NVD record describes the issue as allowing remote attackers to inject arbitrary web script or HTML through vectors related to login. Because the attack requires user interaction and can impact both confidentiality and integrity, it is a meaningful web-application risk even though the CVSS sc [truncated]
CVE-2016-9403 affects MyBB and MyBB Merge System before 1.8.7. NVD describes a missing permission check in newreply.php that allows remote attackers to have unspecified impact. The NVD CVSS vector rates the issue as critical, with network access, no privileges, and no user interaction required.
CVE-2016-9402 is a critical SQL injection vulnerability affecting MyBB and MyBB Merge System versions before 1.8.7. According to NVD, it can let a remote attacker execute arbitrary SQL commands through unspecified vectors in the moderation tool. Because the issue is network-accessible, requires no privileges, and has high impact to confidentiality, integrity, and availability, it should be treated as an u [truncated]
CVE-2015-8977 is an information-disclosure flaw in MyBB and MyBB Merge System where error log files can reveal the installation path to a remote attacker. NVD rates it HIGH (CVSS 3.0: 7.5) with network access, no privileges, and no user interaction, and maps it to CWE-532. The vendor release notes identify fixed releases for MyBB 1.6.18, MyBB 1.8.6, and MyBB Merge System 1.8.6.
CVE-2015-8976 is a cross-site scripting (XSS) issue in MyBB and MyBB Merge System that can let a remote attacker inject arbitrary web script or HTML through vectors related to old upgrade files. NVD rates the issue as medium severity (CVSS 6.1) with network access, low attack complexity, no privileges, and required user interaction. The affected versions listed in the corpus are MyBB before 1.6.18, MyBB 1 [truncated]
CVE-2015-8975 describes a cross-site scripting vulnerability in the MyBB error handler. According to NVD, it affects MyBB before 1.6.18, MyBB 1.8.x before 1.8.6, and MyBB Merge System before 1.8.6. The issue was publicly recorded in the CVE system on 2017-01-31, and the vendor release notes referenced by NVD point to the fixed 1.6.18 / 1.8.6 releases.
CVE-2015-8974 is a critical SQL injection issue in the Group Promotions module of the MyBB admin control panel. The NVD record classifies it as network-reachable, unauthenticated, and high impact, with a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Affected builds include MyBB before 1.6.18, MyBB 1.8.x before 1.8.6, and MyBB Merge System before 1.8.6. The vendor release notes and later securit [truncated]
CVE-2015-8973 describes a remote access-control bypass in MyBB’s xmlhttp.php. According to NVD, the issue affects MyBB before 1.6.18, MyBB 1.8.x before 1.8.6, and MyBB Merge System before 1.8.6. The vulnerability is rated HIGH (CVSS 8.3) and can let a network attacker bypass intended restrictions tied to the forum password.