A reflected XSS vulnerability in the ModCP Profile Editor in MyBB prior to 1.8.20 allows remote malicious users to inject JavaScript via the 'username' parameter.
mybb mybb