CVE-2023-41362

HIGH

MyBB < 1.8.36 - Authenticated Code Injection via Admin CP Template Eval

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-41362. PoCs published by SorceryIE.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-41362, a MyBB Admin Control Panel (ACP) Remote Code Execution (RCE) vulnerability. The exploit leverages template injection via catastrophic regex backtracking to bypass filters and achieve arbitrary code execution.

Description

MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.

Exploits (1)

nomisec WORKING POC 7 stars
by SorceryIE · poc
https://github.com/SorceryIE/CVE-2023-41362_MyBB_ACP_RCE

This repository contains a functional exploit for CVE-2023-41362, a MyBB Admin Control Panel (ACP) Remote Code Execution (RCE) vulnerability. The exploit leverages template injection via catastrophic regex backtracking to bypass filters and achieve arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MyBB (specific version not specified in code)
Auth required
Prerequisites: Admin credentials for MyBB ACP · Access to the target MyBB instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.2
EPSS 0.0164
EPSS Percentile 73.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
mybb/mybb < 1.8.36
Published Aug 29, 2023
Tracked Since Feb 18, 2026