MyBB 1.8.26 Released — Security Release

MyBB 1.8.26 is now available, and is a security release.

  • 6 security vulnerabilities addressed:

    • High risk: Nested Auto URL persistent XSS (advisory) — reported by Simon Scannell & Carl Smith
    • Medium risk: Theme properties SQL injection (advisory) — reported by Simon Scannell & Carl Smith
    • Medium risk: Poll vote count SQL injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Forum Management SQL injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Usergroups SQL injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: Custom moderator tools reflected XSS (advisory) — reported by Devilshakerz (MyBB Team)

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.25 Released — Security Release

MyBB 1.8.25 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: Nested Email MyCode Persistent XSS (advisory) — reported by Igor Sak-Sakovskiy

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.24 Released — Security Release

MyBB 1.8.24 is now available, and is a security release.

After running the upgrade, make sure to update the version attribute in the codebuttons template for non-default themes.

  • 1 security vulnerability addressed:

    • High risk: MyCode message formatting XSS in visual editor (advisory) — reported by Murphy

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.23 Released — Security & Maintenance Release

MyBB 1.8.23 is now available, and is a security & maintenance release.

This release includes added support for hCaptcha, reCAPTCHA v3, APCu, Redis, improvements related to ACP’s Thread Prefixes management, UTF-8 search, performance, and updates jQuery to 3.5.1.

Themes: content of global.css stylesheet may need updating (#3977).

Extension developers: always use verify_post_check() for my_post_key token verification (#4022); positions of some hooks were changed (#3648); the banned datacache was removed (#3878).

  • 1 security vulnerability addressed:

    • Medium risk: Anti-CSRF token disclosure in online status location — reported by Mipher
  • 101 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.22 Released — Security & Maintenance Release

MyBB 1.8.22 is now available, and is a security & maintenance release.

Note: this version removes the discontinued Yahoo profile field, which may have been customized for other purposes.

  • 5 security vulnerabilities addressed:

    • High risk: Installer RCE on settings file write — reported by yelang123 of Stealien
    • Medium risk: Arbitrary upload paths & Local File Inclusion RCE — reported by CNCERT
    • Medium risk: XSS via insufficient HTML sanitization of Blog feed & Extend data — reported by Devilshakerz of MyBB Team
    • Low risk: Open redirect on login — reported by Jyoti Raval of Qualys
    • Low risk: SCEditor reflected XSS — reported by Cillian Collins, bl4ckh4ck5
  • 36 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.21 Released — Security & Maintenance Release

MyBB 1.8.21 is now available, and is a security & maintenance release.

This version includes updated jQuery and SCeditor, JSON Syndication format, improved PostgreSQL support, improved PHP >= 7.1 compatibility, improved search function reliability. See information on SCEditor-related theme updates.

  • 6 security vulnerabilities addressed:

    • High risk: Theme import stylesheet name RCE — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
    • High risk: Nested video MyCode persistent XSS — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
    • Medium risk: Find Orphaned Attachments reflected XSS — reported by Simon Scannell of RIPS Technologies
    • Medium risk: Post edit reflected XSS — reported by adm1nkyj of ENKI
    • Medium risk: Private Messaging folders SQL injection — reported by Alex of DiscoveryGC
    • Low risk: Potential phar deserialization through Upload Path — reported by Simon Scannell of RIPS Technologies
  • 39 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.20 Released — Security & Maintenance Release

MyBB 1.8.20 is now available, and is a security & maintenance release.

This release includes allowing users to see their unapproved content and view user referrals; compatibility with PHP >= 7.2 has been improved and jQuery has been upgraded to 3.0.0, which might affect custom JavaScript code in plugins and themes.

  • 5 security vulnerabilities addressed:

    • Medium risk: Reset Password reflected XSS
    • Medium risk: ModCP Profile Editor username reflected XSS — reported by Jovan Zivanovic of MaTRIS Research Group, SBA Research
    • Low risk: Predictable CSRF token for guest users — reported by Devilshakerz of MyBB Team
    • Low risk: ACP Stylesheet Properties XSS — reported by Cillian Collins
    • Low risk: Reset Password username enumeration via email — reported by Abdullah Md. Shaleh
  • 42 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.19 Released — Security & Maintenance Release

MyBB 1.8.19 is now available, and is a security & maintenance release.

This update includes improved compatibility with PostgreSQL and resolves regressions from previous versions. Administrators may need to update CSS code in global.css for customized themes.

  • 4 security vulnerabilities addressed:

    • High risk: Email field SQL Injection — reported by StefanT
    • Medium risk: Video MyCode Persistent XSS in Visual Editor — reported by Numan OZDEMIR of InfinitumIT
    • Low risk: Insufficient permission check in User CP’s attachment management — reported by StefanT
    • Low risk: Insufficient email address verification — reported by StefanT
  • 8 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.18 Released — Security & Maintenance Release

MyBB 1.8.18 is now available, and is a security & maintenance release.

Changes include added support for Mixer videos and multi-file attachments, modified Word Filter behavior, fixes to the mailing queue and improved compatibility with SQLite and MySQL 8. Theme CSS changes may be required and administrators may need to review Word Filters.

  • 2 security vulnerabilities addressed:

    • High risk: Image MyCode “alt” attribute persistent XSS — reported by Punisher_HF
    • Medium risk: RSS Atom 1.0 item title persistent XSS — reported by 0xB9
  • 30 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.17 Released — Maintenance Release

MyBB 1.8.17 is now available, and is a maintenance release.

This update fixes several issues introduced by MyBB 1.8.16 such as not being able to log into forums.

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team