MyBB Forum Software Vulnerability: Inadequate Permission Validation in Search Functionality
CVE-2025-48941

5.3MEDIUM

Key Information:

Vendor: Mybb
Status: Mybb
Vendor: CVE Published:; 2 June 2025

What is CVE-2025-48941?

MyBB, an open source forum software, is susceptible to a security oversight where its search component fails to correctly validate permissions. This weakness enables attackers to ascertain the existence of hidden threads—including drafts, unapproved content, or soft-deleted threads—by executing searches with specific title text. The internal search queries do not validate the visibility state of threads, allowing a user to determine the presence of such threads based merely on the search results returned. While the software does perform permission checks when displaying search results, the way it handles internal queries leads to the inadvertent exposure of thread visibility statuses. This vulnerability necessitates user access to the search feature and general forum access, but does not reveal the contents of the posts themselves. MyBB version 1.8.39 addresses and resolves this flaw.

Affected Version(s)

mybb < 1.8.39

References

https://github.com/mybb/mybb/security/advisories/GHSA-f84...

x_refsource_CONFIRM

https://github.com/mybb/mybb/commit/b8cc332a27e145c33effa...

x_refsource_MISC

https://mybb.com/versions/1.8.39

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2025
Vulnerability Reserved
May 28, 2025

Mybb

What is CVE-2025-48941?

Affected Version(s)

References

CVSS V3.1

Timeline