CVE-2018-15596

MEDIUM

MyBB 1.8.17 - Cross-Site Scripting in RSS Syndication Feed

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-15596. PoCs published by 0xB9.

AI-analyzed exploit summary This is a writeup describing a Cross-Site Scripting (XSS) vulnerability in MyBB 1.8.17. The exploit leverages unsanitized thread titles in the RSS Syndication feed to redirect users to an arbitrary URL.

Description

An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading to XSS.

Exploits (1)

exploitdb WRITEUP

by 0xB9 · textwebappsphp

https://www.exploit-db.com/exploits/45393

View Code ZIP pw:eip

This is a writeup describing a Cross-Site Scripting (XSS) vulnerability in MyBB 1.8.17. The exploit leverages unsanitized thread titles in the RSS Syndication feed to redirect users to an arbitrary URL.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: MyBB 1.8.17

Auth required

Prerequisites: Access to create or edit a thread title in the MyBB forum · RSS Syndication feature enabled

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45393/

Vendor Advisory x_refsource_confirm

https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/

Scores

CVSS v3 6.1

EPSS 0.0226

EPSS Percentile 80.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

mybb/mybb 1.8.17

Published Aug 28, 2018

Tracked Since Feb 18, 2026