These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2021-47934 describes multiple web application issues in MyBB Timeline Plugin 1.0: cross-site scripting through thread titles, post content, and profile fields such as Location and Bio, plus a CSRF issue in timeline.php profile actions that can be used to change a user's cover picture. The risk is highest where the plugin is installed and exposed to untrusted user input or profile interactions.
CVE-2016-9421 describes a cross-site scripting issue in the Users module of the MyBB Admin control panel. NVD rates it CVSS 3.0 6.1 (Medium) with network access, no privileges required, and user interaction required. The affected products listed in NVD are MyBB and MyBB Merge System through 1.8.7, and the vendor release notes for 1.8.8 indicate the fix was available in that release line.
CVE-2016-9420 is a critical flaw in MyBB and MyBB Merge System before 1.8.8. NVD ties the issue to "loose comparison false positives" and rates the impact as potentially severe, with network access possible without authentication or user interaction.
CVE-2016-9419 is a cross-site scripting (XSS) vulnerability in the MyBB Admin control panel and the MyBB Merge System before 1.8.8. NVD maps the issue to CWE-79 and rates it as network-reachable with user interaction required, allowing injected web script or HTML to affect confidentiality and integrity at a low level. The vendor release notes referenced in the CVE record point to MyBB 1.8.8 / Merge System [truncated]
CVE-2016-9418 is a Windows-specific information disclosure issue in MyBB and MyBB Merge System before 1.8.8. According to NVD, remote attackers could obtain sensitive information from ACP backups via a short-name related vector, with no privileges or user interaction required.
CVE-2016-9417 is a server-side request forgery (SSRF) issue in MyBB and MyBB Merge System versions before 1.8.8. The flaw is identified in the fetch_remote_file function and was assigned a HIGH severity score by NVD. The main security concern is that a remote attacker may be able to make the forum server initiate requests to attacker-influenced destinations, which can expose internal services or other net [truncated]
CVE-2016-9416 is a critical SQL injection vulnerability in MyBB’s users data handler. According to the CVE record, affected MyBB and MyBB Merge System installations before 1.8.8 can be abused by a remote attacker to execute arbitrary SQL commands.
CVE-2016-9415 is a high-severity integrity issue in MyBB and MyBB Merge System before 1.8.8 on Windows. A remote attacker can overwrite arbitrary CSS files through vectors tied to style import, which can alter site presentation and potentially support follow-on tampering. The public reference trail shows vendor release notes and security mailing list discussion before the CVE record was published.
CVE-2016-9414 is a high-severity information disclosure issue in MyBB and MyBB Merge System before 1.8.7. The NVD record says remote attackers could obtain sensitive information by taking advantage of missing directory listing protection in upload directories. The CVE was published on 2017-01-31 and later modified on 2026-05-13.
CVE-2016-9413 describes a clickjacking issue in the MyBB Admin control panel, affecting MyBB and MyBB Merge System versions before 1.8.7. NVD rates it MEDIUM severity (CVSS 6.5) and notes that successful exploitation requires user interaction. The main risk is tricking an authenticated admin into performing unintended actions through a crafted external page or frame-based attack path.
CVE-2016-9412 is a critical access-control weakness in MyBB and MyBB Merge System before 1.8.7. The reported issue centers on low entropy in adminsid and sid values, which can weaken identifier unpredictability and potentially allow unauthorized access paths. NVD rates the issue 9.8/CRITICAL with network attackability, no privileges, and no user interaction required.
CVE-2016-9411 is an information-disclosure issue in MyBB and MyBB Merge System before 1.8.7. According to the NVD record, a remote attacker could learn the installation path through mail-related vectors in the Admin control panel. The issue is rated medium severity (CVSS 5.3) and maps to CWE-200. The practical fix is to move affected deployments to 1.8.7 or later and confirm that older releases are no longer exposed.
CVE-2016-9410 is a high-severity information disclosure issue affecting MyBB (MyBulletinBoard) and MyBB Merge System before 1.8.7. The public record says remote attackers might obtain sensitive database information through template-related vectors. NVD maps the weakness to CWE-200 and rates the issue as network-exploitable with no privileges or user interaction required.
CVE-2016-9409 is a cross-site scripting issue in the MyBB and MyBB Merge System Admin control panel, affecting versions before 1.8.7. The NVD record describes vectors involving pruning logs, and classifies the issue as medium severity with network access and user interaction required.
CVE-2016-9408 is a cross-site scripting issue in the MyBB Mod control panel and MyBB Merge System before 1.8.7. The NVD record says remote attackers may inject arbitrary web script or HTML through user-editing vectors, and the vulnerability is classified as CWE-79.
CVE-2016-9407 is a cross-site scripting (XSS) vulnerability in MyBB and MyBB Merge System before 1.8.7. According to the official record, remote attackers could inject arbitrary web script or HTML through vectors involving Mod control panel logs. The NVD entry rates the issue as CVSS 3.0 6.1 (Medium) with network attack, low confidentiality and integrity impact, no availability impact, and user interaction required.
CVE-2016-9406 is a cross-site scripting (XSS) issue in the MyBB user control panel. According to the public record, it affects MyBB and MyBB Merge System before 1.8.7 and may allow a remote attacker to inject arbitrary web script or HTML through unspecified vectors. NVD classifies it as CWE-79 with network attackability, no privileges required, but user interaction required.
CVE-2016-9405 is a cross-site scripting issue in MyBB and MyBB Merge System member validation. The NVD record classifies it as medium severity and identifies affected versions through 1.8.6. Because the flaw can let an attacker inject script or HTML, administrators should treat any exposed validation workflow as sensitive until patched.
CVE-2016-9404 is a cross-site scripting (XSS) issue affecting MyBB and MyBB Merge System versions before 1.8.7. The NVD record describes the issue as allowing remote attackers to inject arbitrary web script or HTML through vectors related to login. Because the attack requires user interaction and can impact both confidentiality and integrity, it is a meaningful web-application risk even though the CVSS sc [truncated]
CVE-2016-9403 affects MyBB and MyBB Merge System before 1.8.7. NVD describes a missing permission check in newreply.php that allows remote attackers to have unspecified impact. The NVD CVSS vector rates the issue as critical, with network access, no privileges, and no user interaction required.
CVE-2016-9402 is a critical SQL injection vulnerability affecting MyBB and MyBB Merge System versions before 1.8.7. According to NVD, it can let a remote attacker execute arbitrary SQL commands through unspecified vectors in the moderation tool. Because the issue is network-accessible, requires no privileges, and has high impact to confidentiality, integrity, and availability, it should be treated as an u [truncated]
CVE-2015-8977 is an information-disclosure flaw in MyBB and MyBB Merge System where error log files can reveal the installation path to a remote attacker. NVD rates it HIGH (CVSS 3.0: 7.5) with network access, no privileges, and no user interaction, and maps it to CWE-532. The vendor release notes identify fixed releases for MyBB 1.6.18, MyBB 1.8.6, and MyBB Merge System 1.8.6.
CVE-2015-8976 is a cross-site scripting (XSS) issue in MyBB and MyBB Merge System that can let a remote attacker inject arbitrary web script or HTML through vectors related to old upgrade files. NVD rates the issue as medium severity (CVSS 6.1) with network access, low attack complexity, no privileges, and required user interaction. The affected versions listed in the corpus are MyBB before 1.6.18, MyBB 1 [truncated]
CVE-2015-8975 describes a cross-site scripting vulnerability in the MyBB error handler. According to NVD, it affects MyBB before 1.6.18, MyBB 1.8.x before 1.8.6, and MyBB Merge System before 1.8.6. The issue was publicly recorded in the CVE system on 2017-01-31, and the vendor release notes referenced by NVD point to the fixed 1.6.18 / 1.8.6 releases.
CVE-2015-8974 is a critical SQL injection issue in the Group Promotions module of the MyBB admin control panel. The NVD record classifies it as network-reachable, unauthenticated, and high impact, with a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Affected builds include MyBB before 1.6.18, MyBB 1.8.x before 1.8.6, and MyBB Merge System before 1.8.6. The vendor release notes and later securit [truncated]
CVE-2015-8973 describes a remote access-control bypass in MyBB’s xmlhttp.php. According to NVD, the issue affects MyBB before 1.6.18, MyBB 1.8.x before 1.8.6, and MyBB Merge System before 1.8.6. The vulnerability is rated HIGH (CVSS 8.3) and can let a network attacker bypass intended restrictions tied to the forum password.