CVE-2025-29458
HIGHMyBB 1.8.38 Change Avatar - Server-Side Request Forgery
Title source: manualDescription
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References (2)
Core 2
Core References
Mitigation, Product
https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses
Exploit, Third Party Advisory
https://www.yuque.com/morysummer/vx41bz/qu7zyyxr84qno64e
Scores
CVSS v3
7.6
EPSS
0.0037
EPSS Percentile
28.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
mybb/mybb
1.8.38
Published
Apr 17, 2025
Tracked Since
Feb 18, 2026