1.6.4 Security Vulnerability

When 1.6.4 was announced almost 3 months ago it was one of the biggest updates MyBB has ever released. It fixed over 100 issues and brought performance improvements for MyBB forums – large or small – across the world. It was also popular for people who were new to MyBB – starting their project for the first time.

Unfortunately, the 1.6.4 release files were contaminated by code that was not meant to be there and could open a security vulnerability on your forum. It only affects those that are running 1.6.4.

We advise that you fix the problem as soon as you can. You can do so by following these instructions:

  • Download the latest release of MyBB.
  • Replace ./index.php (in the root folder of your forum) with the one in the download (./Upload/index.php).
  • Remove the ./install/ folder


  • Download and follow the 1.6.4 Patch Instructions
  • If you are unable to find the affected areas, this issue does not affect you. Otherwise, remove the ./install/ folder.

If you have any problems, please report them in the General Support Forum on the Community. If you have renamed ‘index.php’, for example if you’re using the portal as your homepage, please remember to update the correct file accordingly.

We discovered the extent of this problem earlier today but with the release of MyBB 1.6.5 still being a few weeks away, forums need to be patched to protect against any vulnerabilities. We’re still investigating how our release became contaminated and if we find anything else in the mean time, we’ll be sure to let you know.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

15 thoughts on “1.6.4 Security Vulnerability

Comments are closed.