CVE-2005-3326

MyBulletinBoard - SQL Injection via usercp.php awayday Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-3326. PoCs published by Animal.

AI-analyzed exploit summary This Perl script exploits an SQL injection vulnerability in MyBulletinBoard (MyBB) Preview Release 2 by manipulating the 'awayreason' parameter in a POST request to usercp.php, allowing an attacker to change a user's group to gain administrative privileges.

Description

SQL injection vulnerability in usercp.php in MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the awayday parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Animal · perlwebappsphp
https://www.exploit-db.com/exploits/26396

This Perl script exploits an SQL injection vulnerability in MyBulletinBoard (MyBB) Preview Release 2 by manipulating the 'awayreason' parameter in a POST request to usercp.php, allowing an attacker to change a user's group to gain administrative privileges.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: MyBulletinBoard (MyBB) Preview Release 2
Auth required
Prerequisites: Registered user account on the target MyBB instance · Valid session cookie (mybbuser field) · Knowledge of target user ID and desired group ID
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/414672
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/20700
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/15204

Scores

EPSS 0.0242
EPSS Percentile 82.0%

Details

Status published
Products (2)
mybulletinboard/mybulletinboard 1.0_pr2
mybulletinboard/mybulletinboard rc4
Published Oct 27, 2005
Tracked Since Feb 18, 2026