CVE-2017-16781

MEDIUM

MyBB < 1.8.12 - Cross-Site Scripting in Installer

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-16781. PoCs published by Pabstersac.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in MyBB's installer (versions up to 1.8.13) due to lack of HTML escaping in error messages. The PoC submits a malicious POST request with a payload in the database hostname field, triggering JavaScript execution when the error is displayed.

Description

The installer in MyBB before 1.8.13 has XSS.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Pabstersac · textwebappsphp
https://www.exploit-db.com/exploits/43137

This exploit demonstrates a stored XSS vulnerability in MyBB's installer (versions up to 1.8.13) due to lack of HTML escaping in error messages. The PoC submits a malicious POST request with a payload in the database hostname field, triggering JavaScript execution when the error is displayed.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: MyBB up to 1.8.13
No auth needed
Prerequisites: Access to the MyBB installer page
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43137/

Scores

CVSS v3 5.4
EPSS 0.0158
EPSS Percentile 72.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
mybb/mybb < 1.8.12
Published Nov 10, 2017
Tracked Since Feb 18, 2026