CVE-2011-10018 | myBB version 1.6.4 was distributed with an unauthorized back… | CVSS 10.0 CRITICAL

Description

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.

Metadata

CVE ID: CVE-2011-10018
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2025-08-13 17:52 UTC
Published: 2025-08-13 20:35 UTC
Last updated: 2026-04-07 14:02 UTC
Primary CWE: CWE-912
CWE-912 Hidden Functionality
Vendor / Product: myBB Group / Forum Software
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
myBB Group	Forum Software	—	1.6.4

Weakness (CWE)

CWE	Source	Description
CWE-912	cna	CWE-912 Hidden Functionality
CWE-94	cna	CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (5)