CVE-2021-27890

HIGH

MyBB < 1.8.26 - SQL Injection via Theme XML File Properties

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-27890. PoCs published by SivertPL, xiaopan233.

AI-analyzed exploit summary This exploit chains a stored XSS (CVE-2021-27889) with a second-order SQL injection (CVE-2021-27890) in MyBB 1.8.25 to achieve remote command execution via improper string interpolation in eval(). It requires an admin with a valid ACP session to trigger the payload.

Description

SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.

Exploits (2)

exploitdb WORKING POC

by SivertPL · javascriptwebappsphp

https://www.exploit-db.com/exploits/49696

View Code ZIP pw:eip

This exploit chains a stored XSS (CVE-2021-27889) with a second-order SQL injection (CVE-2021-27890) in MyBB 1.8.25 to achieve remote command execution via improper string interpolation in eval(). It requires an admin with a valid ACP session to trigger the payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: MyBB 1.8.25

Auth required

Prerequisites: Admin with active ACP session · Ability to deliver XSS payload to admin · External server to host second-stage JS

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 10 stars

by xiaopan233 · poc

https://github.com/xiaopan233/Mybb-XSS_SQL_RCE-POC

View Code ZIP pw:eip

This PoC exploits CVE-2021-27890 (SQL injection) and CVE-2021-27889 (XSS) in MyBB to achieve remote code execution by injecting malicious XML theme data and triggering file write via SQLi.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MyBB 1.8.25

Auth required

Prerequisites: Admin session cookie · XSS payload injected into a post

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Release Notes, Third Party Advisory x_refsource_misc

https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html

Exploit, Third Party Advisory x_refsource_misc

https://blog.sonarsource.com/mybb-remote-code-execution-chain

Scores

CVSS v3 8.8

EPSS 0.0252

EPSS Percentile 85.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

mybb/mybb < 1.8.26

Published Mar 15, 2021

Tracked Since Feb 18, 2026