CVE-2011-10018
myBB 1.6.4 Backdoor Arbitrary Command Execution
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.
| CWE | CWE-912 CWE-94 |
| Vendor | mybb group |
| Product | forum software |
| Published | Aug 13, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for mybb group forum software
Be the first to know when new unknown vulnerabilities affecting mybb group forum software are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
myBB Group / Forum Software
1.6.4
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb exploit-db.com: https://www.exploit-db.com/exploits/17949 web.archive.org: https://web.archive.org/web/20111015224948/http://secunia.com/advisories/46300/ blog.mybb.com: https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/ vulncheck.com: https://www.vulncheck.com/advisories/mybb-backdoor-arbitrary-command-execution
Credits
MyBB