Skip to main content

Xenforo CVE-2026-35054

| EUVDEUVD-2026-17739 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 VulnCheck GHSA-2ch2-j7qp-pqm3
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.3.9
EUVD ID Assigned
Apr 01, 2026 - 01:15 euvd
EUVD-2026-17739
Analysis Generated
Apr 01, 2026 - 01:15 vuln.today
CVE Published
Apr 01, 2026 - 00:30 nvd
MEDIUM 5.1

DescriptionCVE.org

XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.

AnalysisAI

Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts through BB code that persist in the application and execute when other users view the affected content. The vulnerability requires user interaction (viewing the malicious post) and authenticated access to create content, limiting its scope but enabling account compromise and session hijacking of affected users.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS v4.0 score of 5.1 reflects a low-severity impact profile: the vulnerability has scope changes limited to the security layer (SC:L), causes low integrity and confidentiality impacts, and requires prior authentication (PR:L) with user interaction (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious forum member crafts a post containing specially formatted BB code that includes embedded JavaScript, such as within an [url], [img], or custom BB code tag. When the post is submitted and stored in the database, the injected script is not properly sanitized. …
Remediation Upgrade XenForo to version 2.3.9 or later, which includes the BB code rendering security fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy