🔴 高危 | CVE-2026-58054 — MyBB 1.8.40 does not restrict which usergroup a limited
🔴 《高危安全漏洞:CVE-2026-58054》
CVSS 评分: 高危(8.6) CVE ID: CVE-2026-58054
漏洞描述
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.
| 字段 | 值 |
|---|---|
| CVE ID | CVE-2026-58054 |
| CVSS 评分 | 8.6 |
| 严重程度 | 高危 |
| 发布时间 | 2026-06-28 |
| 状态 | Received |
数据来源: NVD | 获取时间: 2026-06-28 18:15
💬 评论