CVE-2023-53977

MEDIUM

MyBB Forums 1.8.26 - Authenticated Stored Cross-Site Scripting via Forum Title Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53977. PoCs published by Andrey Stoykov.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in MyBB 1.8.26 by injecting malicious payloads into template names, forum titles, and announcements. The payloads are rendered unsanitized in the admin interface, leading to arbitrary JavaScript execution.

Description

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the forum title field when adding new forums through the 'Forums and Posts' > 'Forum Management' interface, causing arbitrary JavaScript to execute when the forum listing is viewed.

Exploits (1)

exploitdb WORKING POC
by Andrey Stoykov · textwebappsphp
https://www.exploit-db.com/exploits/51136

This exploit demonstrates a stored XSS vulnerability in MyBB 1.8.26 by injecting malicious payloads into template names, forum titles, and announcements. The payloads are rendered unsanitized in the admin interface, leading to arbitrary JavaScript execution.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: MyBB 1.8.26
Auth required
Prerequisites: Admin access to MyBB · Ability to modify templates, forums, or announcements
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.4
EPSS 0.0019
EPSS Percentile 9.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
mybb/mybb 1.8.26
Mybb/myBB forums 1.8.26
Published Dec 22, 2025
Tracked Since Feb 18, 2026