CVE-2023-53976

MEDIUM

myBB 1.8.26 - Authenticated Stored Cross-Site Scripting in Template Title Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53976. PoCs published by Andrey Stoykov.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in MyBB 1.8.26 by injecting malicious payloads into template names, forum titles, and announcements. The payloads are rendered unsanitized in the admin interface, leading to arbitrary JavaScript execution.

Description

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in the template title field when adding new templates through the 'Templates and Style' > 'Templates' > 'Manage Templates' > 'Global Templates' interface, causing arbitrary JavaScript to execute when the template is viewed.

Exploits (1)

exploitdb WORKING POC
by Andrey Stoykov · textwebappsphp
https://www.exploit-db.com/exploits/51136

This exploit demonstrates a stored XSS vulnerability in MyBB 1.8.26 by injecting malicious payloads into template names, forum titles, and announcements. The payloads are rendered unsanitized in the admin interface, leading to arbitrary JavaScript execution.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: MyBB 1.8.26
Auth required
Prerequisites: Admin access to MyBB · Ability to modify templates, forums, or announcements
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 5.4
EPSS 0.0021
EPSS Percentile 10.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
mybb/mybb 1.8.26
Mybb/myBB forums 1.8.26
Published Dec 22, 2025
Tracked Since Feb 18, 2026