Skip to main content

Xenforo CVE-2025-71282

| EUVDEUVD-2025-209158 HIGH
Error Message Information Leak (CWE-209)
2026-04-01 VulnCheck GHSA-8fvj-rw6m-xrph
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.3.7
EUVD ID Assigned
Apr 01, 2026 - 01:15 euvd
EUVD-2025-209158
Analysis Generated
Apr 01, 2026 - 01:15 vuln.today
CVE Published
Apr 01, 2026 - 00:30 nvd
HIGH 8.7

DescriptionCVE.org

XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker to obtain information about the server's directory structure.

AnalysisAI

XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by open_basedir PHP restrictions, enabling remote unauthenticated attackers to map internal directory structures. This information disclosure vulnerability (CWE-209) affects XenForo installations and has been addressed in version 2.3.7 with vendor-confirmed security fixes. No public exploit code or active exploitation is identified at time of analysis, though the unauthenticated remote attack vector and low complexity make reconnaissance straightforward for targeted attacks.

Technical ContextAI

This vulnerability exploits improper error handling in XenForo's PHP-based forum platform when encountering open_basedir restrictions. The open_basedir directive is a PHP security mechanism that restricts file operations to specified directories. When XenForo code attempts to access paths outside the configured allowed directories, PHP throws exceptions that inadvertently include full filesystem paths in error messages visible to remote users. This represents a classic CWE-209 (Generation of Error Message Containing Sensitive Information) weakness where verbose exception handling exposes internal implementation details. The vulnerability affects XenForo forum software (CPE 2.3:a:xenforo:xenforo) across all versions prior to 2.3.7, indicating the error handling pattern was present throughout the codebase. Such path disclosure typically occurs through web-accessible error pages or API responses that fail to sanitize exception details before presentation to end users.

RemediationAI

Upgrade XenForo installations to version 2.3.7 or later, which includes security fixes addressing the path disclosure issue. The vendor-released patch is available through official XenForo channels documented at https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/. Organizations should follow standard XenForo upgrade procedures including backing up the database and files before applying the update. As a temporary mitigation for installations unable to immediately upgrade, administrators may configure web server error handling to suppress detailed PHP error messages from being displayed to end users and instead log them server-side only, though this workaround does not address the underlying exception handling issue and should not replace timely patching. Review server logs for unusual patterns of error generation that might indicate active reconnaissance attempts exploiting this disclosure. Additional technical analysis is available in the VulnCheck advisory at https://www.vulncheck.com/advisories/xenforo-path-disclosure-via-open-basedir-exceptions.

Share

CVE-2025-71282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy