MyBB 1.8.22 Released — Security & Maintenance Release

MyBB 1.8.22 is now available, and is a security & maintenance release.

Note: this version removes the discontinued Yahoo profile field, which may have been customized for other purposes.

  • 5 security vulnerabilities addressed:

    • High risk: Installer RCE on settings file write — reported by yelang123 of Stealien
    • Medium risk: Arbitrary upload paths & Local File Inclusion RCE — reported by CNCERT
    • Medium risk: XSS via insufficient HTML sanitization of Blog feed & Extend data — reported by Devilshakerz of MyBB Team
    • Low risk: Open redirect on login — reported by Jyoti Raval of Qualys
    • Low risk: SCEditor reflected XSS — reported by Cillian Collins, bl4ckh4ck5
  • 36 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

MyBB Team