HIGHCVE-2025-48940CVSS 7.2

CVE-2025-48940: LFI in MyBB Forum Software

Q: What is CVE-2025-48940 — LFI in MyBB?

CVE-2025-48940 is a Local File Inclusion (LFI) vulnerability in MyBB forum software versions 1.8.39 and earlier, allowing attackers to potentially read sensitive files.

Q: Am I affected by CVE-2025-48940 in MyBB?

You are affected if you are using MyBB version 1.8.39 or earlier. Upgrade to version 1.8.39 to resolve the vulnerability.

Q: How do I fix CVE-2025-48940 in MyBB?

Upgrade MyBB to version 1.8.39. Ensure the `install/lock` file is present and restrict access to the `install/index.php` script.

Q: Is CVE-2025-48940 being actively exploited?

As of now, there is no confirmed active exploitation, but the vulnerability is publicly known and could be targeted.

Q: Where can I find the official MyBB advisory for CVE-2025-48940?

Refer to the official MyBB security advisory for detailed information and updates: [https://docs.mybb.com/security/security-advisories/](https://docs.mybb.com/security/security-advisories/)

Platform

php

Component

mybb

Fixed in

1.8.40

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2025-48940 describes a Local File Inclusion (LFI) vulnerability affecting MyBB forum software versions prior to 1.8.39. This vulnerability allows attackers to potentially read arbitrary files on the server if the upgrade process is accessible and the installer is unlocked. The vulnerability is resolved in MyBB version 1.8.39, and users are strongly advised to upgrade immediately.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-48940 could allow an attacker to read sensitive configuration files, source code, or other critical data stored on the server. This could lead to further compromise of the system, including the potential for privilege escalation or data exfiltration. The attacker must first unlock the installer (absence of install/lock file) and access the upgrade script, typically by re-installing or as an administrator. The impact is significant due to the potential for unauthorized access to sensitive information.

Exploitation Context

CVE-2025-48940 was publicly disclosed on 2025-06-02. No public proof-of-concept (POC) code has been released as of this writing. The EPSS score is pending evaluation, but the LFI nature of the vulnerability suggests a potential for medium to high exploitation probability. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.14% (34% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impact

Affected Software

Componentmybb

Vendormybb

Affected rangeFixed in

< 1.8.39 – < 1.8.391.8.40

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2025-05-28
Published2025-06-02
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-48940 is to upgrade MyBB to version 1.8.39 or later. If an immediate upgrade is not possible, ensure the install/lock file is present to prevent unauthorized access to the installer. Restrict access to the install/index.php script to prevent attackers from triggering the upgrade process. Monitor server logs for suspicious activity related to file access attempts. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file through the upgrade script and verifying that an error is returned.

How to fix

Actualice MyBB a la versión 1.8.39 o superior. Esta versión corrige la vulnerabilidad de inclusión de archivos locales. Asegúrese de que el archivo `install/lock` esté presente para evitar el acceso no autorizado al instalador.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-48940 — LFI in MyBB?