CVE-2026-58054
Severity CVSS v4.0:
HIGH
Type:
CWE-269
Improper Privilege Management
Publication date:
28/06/2026
Last modified:
29/06/2026
Description
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.
Impact
Base Score 4.0
8.60
Severity 4.0
HIGH
Base Score 3.x
7.20
Severity 3.x
HIGH



