The remote FreeBSD host is missing a security-related update.
mybb team reports : Input passed via avatar extensions is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by uploading specially named avatars. The script allows to sign up with usernames containing zero width space characters, which can be exploited to e.g. conduct spoofing attacks.