Description
member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account's registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output.
Remediation
References
Related Vulnerabilities
SharePoint Insufficient Granularity of Access Control Vulnerability (CVE-2026-40365)
WordPress Plugin Yoast SEO Unspecified Vulnerability (5.9.2)
Liferay DXP Incorrect Authorization Vulnerability (CVE-2025-3586)
LimeSurvey Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2021-44967)