Description
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.
Exploits (1)
nomisec
WORKING POC
7 stars
by SorceryIE · poc
https://github.com/SorceryIE/CVE-2023-41362_MyBB_ACP_RCE
References (4)
Core 4
Core References
Patch, Third Party Advisory
https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5
Release Notes
https://mybb.com/versions/1.8.36/
Various Sources
https://blog.sorcery.ie/posts/mybb_acp_rce/
Scores
CVSS v3
7.2
EPSS
0.2354
EPSS Percentile
96.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
mybb/mybb
< 1.8.36
Published
Aug 29, 2023
Tracked Since
Feb 18, 2026