CVE-2026-58054
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-269
Gestión de privilegios incorrecta
Fecha de publicación:
28/06/2026
Última modificación:
29/06/2026
Descripción
*** Pendiente de traducción *** MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.
Impacto
Puntuación base 4.0
8.60
Gravedad 4.0
ALTA
Puntuación base 3.x
7.20
Gravedad 3.x
ALTA



