MyBB 1.8.40

28 May 2026

SecurityMaintenance

code 1840

Full Package

Install a new MyBB forum or upgrade from older versions.

.zip – 2.22 MB

Download from MyBB.com Download from GitHub.com (mirror)

sha512:

40e1c4d72394488737b1e888b5eccc844f491c8514e58396c75ef901ff708949d01ffd290516b505dac61e39c832d7b3e84a2c6c8851aa37bba7adf73fb40f35

More checksums…

sha256:

380fb63c50c63f52c747ba05d1002ad77f2f0b1d254db213092501dd5e9375dc

sha1:

d1cc61c348852441238d65fc4257c0cc4946f7cb

md5:

99b00d676ff8cb580522a0e15ad8befc

Changed Files

Upgrade from the previous version.

.zip – 1.04 MB

Download from MyBB.com Download from GitHub.com (mirror)

sha512:

281858ab1f950d8086f171e00c9b84355dd4f499c3c846ada94c725c90873bee3696c49212f4c93dc1098b3804372268bd995cba7677fd481685a15978ebd268

More checksums…

sha256:

9a4068567c98afe73650f9d93a42f9877d35dd01dc70fac0606c96ceff58224d

sha1:

7b769e14ad4326abf3c0392bfd8c5ca68e1c747b

md5:

1218d5ba8ebda388983d7c3e37af480d

How to verify packages

This version includes stability fixes, adds controls for post icon features, and removes the discontinued Google Hangouts profile fields.

Please note that the Configuration File’s default Disallowed Remote Addresses list has changed and needs to be manually replaced/updated when upgrading.

Please note that the global.css file requires a manual insertion of two additional CSS lines.

Upgrading to this Version

To upgrade: copy and overwrite the files, and run the install/ upgrade script.

Before performing any upgrade, remember to backup your forum’s files and database and store them safely.

If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

Follow the Upgrade Documentation for more detailed instructions.

Security Vulnerabilities Addressed (18)

High risk

Buddy/ignore list username XSS advisory

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L CVE-2026-45115 Reported by Maxim Gofnung Mallory.ai, Shuang Liao Fudan University

High risk

Profile field type confusion XSS advisory

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVE-2026-45116 Reported by valent1

High risk

Installer database configuration RCE advisory

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-45117 Reported by Devilshakerz MyBB Team

Medium risk

Contact page reflected XSS advisory

CWE-83 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L CVE-2026-45118 Reported by Shuang Liao Fudan University

Medium risk

ACP UTF-8 Conversion CSRF advisory

CWE-352 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H CVE-2026-45119 Reported by Devilshakerz MyBB Team

Medium risk

Insufficient authorization for private calendar events advisory

CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2026-45120 Reported by HuajiHD

Medium risk

Insufficient permission check for calendar select advisory

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2026-45121 Reported by HuajiHD

Medium risk

Buddy list corruption advisory

CWE-252 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2026-47245 Reported by Devilshakerz MyBB Team

Low risk

Insufficient permission check for calendar event move advisory

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2026-45122 Reported by HuajiHD

Low risk

Mod CP report resolution missing authorization advisory

CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2026-45124 Reported by Devilshakerz MyBB Team

Low risk

IPv6 SSRF advisory

CWE-918 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2026-45123 Reported by Assaf Alassaf

Low risk

Email User CRLF injection advisory

CWE-93 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-45125 Reported by Devilshakerz MyBB Team

Low risk

ACP Recovery Codes CSRF advisory

CWE-352 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L CVE-2026-45129 Reported by Devilshakerz MyBB Team

Low risk

ACP Questions state CSRF advisory

CWE-352 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVE-2026-45126 Reported by Devilshakerz MyBB Team

Low risk

ACP Users View Manager default CSRF advisory

CWE-352 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVE-2026-45128 Reported by Devilshakerz MyBB Team

Low risk

ACP Mass Mail draft resend CSRF advisory

CWE-352 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVE-2026-45127 Reported by Devilshakerz MyBB Team

Low risk

Default CAPTCHA missing invalidation advisory

CWE-837 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-45734 Reported by Himanshu Anand

Low risk

Security Question insufficient validation advisory

CWE-636 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-46482 Reported by Devilshakerz MyBB Team

Notable Contributions

Buddy/ignore list management technical reflected XSS weakness

by Shuang Liao Fudan University

Contact page open redirect weakness

by Himanshu Anand

Issues Resolved (31)

View issues on GitHub

[{"admin":[{"inc":["functions.php","functions_themes.php","functions_view_manager.php"]},{"modules":[{"config":["banning.php","questions.php","settings.php"]},{"forum":["announcements.php"]},{"home":["index.php","preferences.php"]},{"style":["themes.php"]},{"tools":["backupdb.php","file_verification.php","optimizedb.php","system_health.php","tasks.php"]},{"user":["banning.php","groups.php","mass_mail.php","users.php"]}]},"index.php"]},{"archive":["index.php"]},{"inc":[{"datahandlers":["event.php","user.php","warnings.php"]},{"languages":[{"english":[{"admin":["config_banning.lang.php","home_dashboard.lang.php","user_groups.lang.php","user_users.lang.php"]},"datahandler_event.lang.php","global.lang.php","member.lang.php","memberlist.lang.php","misc.lang.php","modcp.lang.php","newreply.lang.php","newthread.lang.php","usercp.lang.php"]},"english.php"]},{"tasks":["backupdb.php","checktables.php","promotions.php"]},"class_captcha.php","class_core.php","class_mailhandler.php","class_moderation.php","class_parser.php","class_session.php","class_xmlparser.php","datahandler.php","db_mysql.php","db_mysqli.php","db_pgsql.php","db_sqlite.php","functions.php","functions_forumlist.php","functions_post.php","functions_search.php","functions_serverstats.php"]},{"install":[{"resources":["mybb_theme.xml","mysql_db_tables.php","pgsql_db_tables.php","settings.xml","sqlite_db_tables.php","upgrade3.php","upgrade4.php","upgrade5.php","upgrade6.php","upgrade7.php","upgrade8.php","upgrade9.php","upgrade10.php","upgrade11.php","upgrade12.php","upgrade13.php","upgrade14.php","upgrade15.php","upgrade16.php","upgrade17.php","upgrade18.php","upgrade19.php","upgrade20.php","upgrade21.php","upgrade22.php","upgrade23.php","upgrade24.php","upgrade25.php","upgrade26.php","upgrade27.php","upgrade28.php","upgrade29.php","upgrade30.php","upgrade31.php","upgrade32.php","upgrade33.php","upgrade34.php","upgrade35.php","upgrade36.php","upgrade37.php","upgrade38.php","upgrade39.php","upgrade40.php","upgrade42.php","upgrade43.php","upgrade44.php","upgrade45.php","upgrade46.php","upgrade47.php","upgrade48.php","upgrade49.php","upgrade50.php","upgrade51.php","upgrade52.php","upgrade53.php","upgrade54.php","upgrade55.php","upgrade56.php","upgrade57.php","upgrade61.php"]},"index.php","upgrade.php"]},{"jscripts":[{"sceditor":[{"formats":["bbcode.js","xhtml.js"]},{"icons":["material.js","monocons.js"]},{"plugins":["format.js","undo.js"]},{"themes":[{"content":["default.min.css"]},"default.css","defaultdark.css","famfamfam.png","modern.css","office-toolbar.css","office.css","square.css"]},"jquery.sceditor.bbcode.min.js","jquery.sceditor.min.js","jquery.sceditor.xhtml.min.js","sceditor.min.js"]}]},"calendar.php","contact.php","editpost.php","forumdisplay.php","global.php","member.php","memberlist.php","misc.php","modcp.php","moderation.php","newreply.php","newthread.php","portal.php","private.php","search.php","sendthread.php","showthread.php","syndication.php","task.php","usercp.php","xmlhttp.php"]

Changed Files ()

Changed Language Files (13)

There are changes to 13 language file(s). Changed languages files can be cross-referenced from the list above.

Changed Templates (9)

codebuttons
member_profile_contact_details
member_register_regimage_cfturnstile
memberlist_search
modcp_editprofile
post_captcha_cfturnstile
usercp_profile
xmlhttp_buddyselect_offline
xmlhttp_buddyselect_online