EIP-2026-109715

PRE-CVE

MyBB Forums 1.8.2 - Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-109715. PoCs published by Avinash Thapa.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in MyBB 1.8.2 by injecting malicious JavaScript into the 'Custom User Title' field, which executes when viewed in the calendar event page. The PoC includes detailed HTTP request/response examples and step-by-step reproduction instructions.

Description

MyBB Forums 1.8.2 - Persistent Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC VERIFIED

by Avinash Thapa · textwebappsphp

https://www.exploit-db.com/exploits/35266

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in MyBB 1.8.2 by injecting malicious JavaScript into the 'Custom User Title' field, which executes when viewed in the calendar event page. The PoC includes detailed HTTP request/response examples and step-by-step reproduction instructions.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: MyBB 1.8.2

Auth required

Prerequisites: Valid user account on the MyBB forum · Access to the 'Edit Profile' section

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026