Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.
https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm
https://blog.sonarsource.com/mybb-remote-code-execution-chain
http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html