CVE-2023-53979

HIGH

MyBB 1.8.32 - Authenticated Remote Code Execution via Chained Avatar Upload and Language Configuration

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53979. PoCs published by lUc1f3r11.

AI-analyzed exploit summary This exploit chains a Local File Inclusion (LFI) vulnerability with an authenticated avatar upload feature in MyBB 1.8.32 to achieve Remote Code Execution (RCE). It modifies the avatar upload path to bypass restrictions and uploads a malicious PNG file containing PHP code.

Description

MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface.

Exploits (1)

exploitdb WORKING POC
by lUc1f3r11 · pythonwebappsphp
https://www.exploit-db.com/exploits/51213

This exploit chains a Local File Inclusion (LFI) vulnerability with an authenticated avatar upload feature in MyBB 1.8.32 to achieve Remote Code Execution (RCE). It modifies the avatar upload path to bypass restrictions and uploads a malicious PNG file containing PHP code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MyBB 1.8.32
Auth required
Prerequisites: Admin credentials for MyBB · Ability to modify settings and upload avatars · A PNG file with embedded PHP code
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.0070
EPSS Percentile 48.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (1)
mybb/mybb 1.8.32
Published Dec 22, 2025
Tracked Since Feb 18, 2026